CISA Mentions 17 Critical Bugs That Need Immediate Patching

Diving into details

• The listed vulnerabilities allow attackers to carry out different types of attacks, such as stealing credentials/information, remotely executing commands, gaining access to networks, and downloading/executing malware.
• Out of the 17 new vulnerabilities, ten must be patched within the first week of February. 
• Four vulnerabilities are given a remediation date of July 18.
• The newly added flaws exist in multiple products, including Struts 1, Serv-U, Airflow, and Nagios XI.

What are newly added vulnerabilities

• The vulnerabilities with required action by February 1 include CVE-2021-32648 (October CMS), CVE-2021-21315 (node.js), CVE-2021-21975 (vRealize Operations Manager), CVE-2021-22991 (BIG-IP Traffic Microkernel), CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 (Nagios XI OS), CVE-2021-33766 (Microsoft Exchange Server), and CVE-2021-40870 (Aviatrix Controller). 
• Additional vulnerabilities with extended dates include CVE-2021-35247, CVE-2020-11978, CVE-2020-13671, CVE-2020-13927, CVE-2020-14864, CVE-2006-1547, CVE-2012-0391, and CVE-2018-8453.

Notable attacks exploiting the listed flaws

• The CVE-2021-32648 flaw in an old version of October CMS used in websites was exploited to deface government websites in Ukraine.
• Another security flaw, tracked as CVE-2021-35247 was uncovered by Microsoft to be abused in the Log4j attacks. The attack targets Windows domain controllers set up as LDAP servers.

Conclusion