Why Ownership Questions Reveal Governance Gaps Sarah was preparing documentation for an upcoming compliance review…
Update on the Federal Government’s Catalog of Cyber Vulnerabilities: The November 2021 Listing Has Grown
It’s been several weeks since we last updated our review of the latest vulnerabilities disclosed in the Catalog of Known Exploited Vulnerabilities maintained and periodically updated by the Cybersecurity & Infrastructure Security Agency (CISA). The last time we discussed the catalog in November 2021, four new vulnerabilities were added, bringing the total to 292 vulnerabilities.
The CISA catalog is provided for two primary reasons: (1) to allow non-military agencies and their contractors to identify open and new cybersecurity vulnerabilities, and (2) as a means of CISA announcing remediation deadlines. The bi-monthly updating process is intended to be a timely and valued resource to agencies, their contractors, and all of us in staying up-to-date in maintaining cybersecurity hygiene.
Since November 17, CISA has added new vulnerabilities on nine different occasions, which is certainly a more intense schedule than the twice-a-month pace originally forecasted. The number of vulnerabilities has ranged from one (February 4, 2022) and to 15 (January 10, 2022).
Where are the vulnerabilities coming from?
Yet again, Microsoft has the most listed vulnerabilities – 16 of the 76 since November, including two listed as “Windows” vulnerabilities. The prominence of Microsoft on what could be viewed as a Rogues’ List of Risky Software is not surprising given the breadth and usage of its product offerings.
Among those with serious-sounding descriptions are two of the three affecting Apache Struts. These January 21st listings state that the software contains separate vulnerabilities that “allow(…) for denial-of-service” and “remote code execution”.
Widely-used Google Chrome or Chromium have listed vulnerabilities as well. Both products cite defects enabling after-use exposure to remote hackers and allowing them to execute arbitrary code on a target system.
The CISA has labeled 39 vendor products or items of publicly available software over the past couple of months. The current list can be obtained here. Everyone involved in cybersecurity should take the time to review the updated list and see if items in your or your client’s technology stacks are included.
By the way, the remedial action for each issue is the same. “Apply updates per vendor instructions”. The time frame for updates is always about the same as well, either a few weeks or six months. The difference, one has to assume, is whether the vendor updates are currently available.
Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments