Please see Security Advisories for the week ending December 17, 2021
- CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities
- VMware Releases Security Advisory
- NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures
- Google Releases Security Updates for Chrome
- Adobe Releases Security Updates for Multiple Products
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks
- Security Advisory: SAP Releases December 2021 Security Updates
- Microsoft Has Released December 2021 Security Updates Apple Releases Security Updates
- CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228
CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities
Situation
CISA has issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability, directing federal civilian executive branch (FCEB) agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228.
Problem
A series of vulnerabilities in the popular Java-based logging library Log4j are under active exploitation by multiple threat actors. Exploitation of one of these vulnerabilities allows an unauthenticated attacker to remotely execute code on a server. Successful exploitation can occur even if the software accepting data input is not written in Java; such software is able to pass malicious strings to other (back end) systems that are written in Java.
Implication
Based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability is far too high to neglect following the guidance of the emergency directive.
Need
Although ED 22-02 applies to FCEB agencies, CISA strongly recommends that all organizations review ED 22-02 for mitigation guidance. For additional details, see CISA’s webpage Apache Log4j Vulnerability Guidance.
For a brief overview:
For a more technical overview:
https://www.cisa.gov/emergency-directive-22-02
________________________________
VMware Releases Security Advisory
Situation
VMware has released a security advisory to address a vulnerability in Workspace ONE UEM console.
Problem
VMware Workspace ONE UEM console contains a Server-Side Request Forgery (SSRF) vulnerability. A malicious actor with network access to UEM can send their requests without authentication and may exploit this issue to gain access to sensitive information.
Implication
An attacker could exploit this vulnerability to obtain sensitive information.
Need
CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0029 and apply the necessary mitigation.
For a brief overview:
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/vmware-releases-security-advisory
For a more technical overview:
https://www.vmware.com/security/advisories/VMSA-2021-0029.html
________________________________
NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures
Situation
CISA has announced the joint National Security Agency (NSA) and CISA publication of the final of a four-part series, Security Guidance for 5G Cloud Infrastructures.
Problem
Improperly deployed, configured, or managed 5G equipment and networks may be vulnerable to disruption and manipulation. The 5G supply chain is susceptible to the malicious or unintentional introduction of risks such as malicious software and hardware, counterfeit components, and poor designs, manufacturing processes, and maintenance procedures. 5G builds upon previous generations of wireless networks and is currently being integrated with 4G LTE networks that contain some legacy vulnerabilities. Lack of interoperability with other technologies and services limits the ability of trusted companies to compete in the 5G market. The implementation of untrusted components into a 5G network could expose communications infrastructure to malicious or poorly developed hardware and software and could significantly increases the risk of compromise to the confidentiality, integrity, and availability of 5G data .
Implication
Failure to follow guidance could leave 5G Cloud infrastructures vulnerable to compromise.
Need
CISA encourages 5G providers, integrators, and network operators to review the guidance and consider the recommendations.
For a brief overview:
________________________________
Google Releases Security Updates for Chrome
Situation
Google has released Chrome version 96.0.4664.110 for Windows, Mac, and Linux.
Implication
This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.
Need
CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates as soon as possible.
For a brief overview:
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/14/google-releases-security-updates-chrome
For a more technical overview:
https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html
________________________________
Adobe Releases Security Updates for Multiple Products
Situation
Adobe has released security updates to address vulnerabilities in multiple Adobe products.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://helpx.adobe.com/security.html
________________________________
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Situation
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table in the CISA advisory.
Problem
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Implication
Failure to implement timely remediation of cataloged vulnerabilities could leave organizations exposed to cyberattacks.
Need
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
For a brief overview:
For a more technical overview:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
________________________________
Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks
Situation
In light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential cyberattacks.
Problem
Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms. These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.
Implication
Failure to adopt heightened levels of awareness regarding CISA insights could leave one vulnerable to compromise.
Need
CISA encourages leadership at all organizations—and critical infrastructure owners and operators in particular—to review the CISA Insights and adopt a heighted state of awareness.
For a brief overview:
For a more technical overview:
https://www.cisa.gov/publication/preparing-and-mitigating-potential-cyber-threats
________________________________
Security Advisory: SAP Releases December 2021 Security Updates
Situation
SAP has released December 2021 security updates to address vulnerabilities affecting multiple products. Such as SAP Commerce, SAP ABAP Server & ABAP Platform, SAP NZDT Mapping Table, SAP NetWeaver, SAP Web Dispatcher, and more.
Problem
SAP has addressed vulnerabilities ranging from a severity Low to Critical. These vulnerabilities include code execution, code injection, SQL injection, cross-site scripting (XSS), denial of service (DOS), and others.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected system.
Need
SAP recommends that the customer make sure to apply the necessary security updates to protect against these vulnerabilities. Additional information can be found below.
SAP Security Notes for December 2021:
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
________________________________
Microsoft Has Released December 2021 Security Updates
Situation
Microsoft has released updates for December 2021. These updates address multiple vulnerabilities in Microsoft software such as Microsoft Local Security Authority Serve, Windows, Office, Visual Studio, Microsoft Office, PowerShell, and more. December 2021 patch also fixes for six zero-day vulnerabilities with one actively being exploited.
Problem
Microsoft has released patches for 67 vulnerabilities, including seven classified as Critical and 60 as Important. This update addresses a wide range of vulnerabilities including 21 elevation of privilege, 26 remote code execution, 10 information disclosure, seven spoofing, and three denial of service vulnerabilities. One of which tracked as CVE-2021-43890 a Windows AppX Installer vulnerability has been seen currently being exploited in the wild.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it could allow them to take control of an affected system.
Need
Microsoft recommends updating all affected Microsoft software as soon as possible to protect against these vulnerabilities. Additional information and patch notes can be found in the link below.
Microsoft December 2021 release notes:
https://msrc.microsoft.com/update-guide/releaseNote/2021-Dec
________________________________
Apple Releases Security Updates
Situation
Apple has released security updates to address vulnerabilities in multiple products including macOS, iOS, iPadOS, watchOS, and tvOS.
Problem
The vulnerabilities found include buffer overflow, memory corruption, out-of-bounds read and write, race condition, and more.
Implication
A attacker who is able to successfully exploits some of these vulnerabilities can allow them to take control of an affected device.
Need
Apple an CISA recommends users and administrators to update all affected Apple products to their most recent version.
For a brief overview:
Apple security updates:
https://support.apple.com/en-us/HT201222
________________________________
CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228
Situation
CISA has created a webpage that will supply information regarding the Log4j Vulnerability.
Problem
The webpage will provide updates on public information and vendor information for the Log4j vulnerability.
Implication
A remote unauthenticated attacker could exploit this vulnerability to take control of an affected system.
Need
Review the CISA webpage for new information regarding this vulnerability.
For more info: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance