This is the last patch watch blog for 2022 and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has prioritized 3 vulnerabilities to be patched by the end of this year. However, CISA continues to add more vulnerabilities to the KEV catalog that are currently being targeted by threat actors. In addition to this, CISA also runs a #StopRansomware campaign to alert organizations of the latest ransomware threats.
Why are these CVEs important?
From our analysis, we found:
All 3 vulnerabilities are weaponized and have publicly exposed exploits.
CVE-2021-35587 is a critical Oracle Fusion Middleware Access Manager that allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product.
CVE-2022-4135 allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge. This is the 8th zero day vulnerability that Chrome patched this year.
CVE-2022-4262, is another Chromium browser zero-day vulnerability that allows remote attackers to exploit heap (memory) corruption via a crafted HTML page.
How Far Back Do They Go?
The Chrome vulnerabilities discovered this year pose a risk to all Chrome users and not just enterprises. It is best if all Chrome users updated their browsers to the latest version.
Which Vendors Are Affected?
Chrome has patched 9 zero-day vulnerabilities in this year, apart from other flaws. Two of these vulnerabilities are recommended to be patched by 26-12-2022.
These vulnerabilities are ranked high and critical on the CVSS scale. These vulnerabilities impact 7 affected products in total and are widely used.
CVE-2021-35587 does not have any CWE attached to it
Table: DHS CISA KEVs
We urge organizations to implement patches for these CVEs at the earliest. With CSW’s threat-based approach and vulnerability intelligence, security teams can prioritize the threats, including all KEVs, and minimize their attack surface.
For the latest news regarding vulnerabilities that are exploited and critical threats, read our blog on Weekly Threat Intelligence.