The Cybersecurity & Infrastructure Security Agency (CISA) has added 41 flaws to its Known Exploited Vulnerabilities Catalog, including recently addressed issues in the Android kernel (CVE-2021-1048 and CVE-2021-0920) and Cisco IOS XR (CVE-2022-20821).
The Cisco IOS XR flaw (CVE-2022-20821, CVSS score: 6.5, is actively exploited in attacks in the wild, it resides in the health check RPM of Cisco IOS XR Software. An unauthenticated, remote attacker could trigger the issue to access the Redis instance that is running within the NOSi container.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
Some of the flaws added to the catalog in this turn are dated back to 2016, such as the issues affecting Apple (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657), Microsoft (CVE-2016-0162, CVE-2016-3351, CVE-2016-3298) and Cisco Devices (CVE-2016-6366, CVE-2016-6367).
Other issues impact Google, Mozilla, Facebook, Adobe, and Webkit GTK software products, the vulnerabilities range from 2018 to 2021.
Some of the issues have to be addressed by federal agencies by June 13, 2022, while the others need to be fixed by June 14, 2022.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)