The US Cybersecurity and Infrastructure Security Agency (CISA) has added nine new vulnerabilities to its list of regularly exploited vulnerabilities. This list includes two zero-days that affect Google Chrome and Adobe Commerce/Magento Open Source.
CISA stated that until March 1st, 2022, all Federal Civilian Executive Branch Agencies (FCEB) must install patches for these two security vulnerabilities.
The list comprises a mix of old and new bugs, with dates ranging from 2013 to 2022. The full list of nine defects added to CISA’s Known Exploited Vulnerabilities Catalog are mentioned below:
- CVE-2017-9841- PHPUnit Command Injection
- CVE-2022-0609- Google Chrome Use-After-Free
- CVE-2018-20250- WinRAR Absolute Path Traversal
- CVE-2018-15982- Adobe Flash Player Use-After-Free
- CVE-2014-1761- Microsoft Word Memory Corruption
- CVE-2019-0752- Microsoft Internet Explorer Type Confusion
- CVE-2013-3906- Microsoft Graphics Component Memory Corruption
- CVE-2018-8174- Microsoft Windows VBScript Engine Out-of-Bounds Write
- CVE-2022-24086- Adobe Commerce and Magento Open-Source Improper Input Validation
Google Chrome zero-day vulnerability (CVE-2022-0609)
Clément Lecigne of Google’s Threat Analysis Group identified this vulnerability. This is the first zero-day fixed by Google this year. The vulnerability is described as “Use after free in Animation” and was assigned a high severity level. Attackers frequently exploit use after free bugs to run arbitrary code or bypass the browser’s security sandbox on PCs running unpatched Chrome versions.
Adobe Magneto zero-day vulnerability (CVE-2022-24086)
A remote attacker can execute arbitrary code on the target system by sending a specially crafted request to the application. If this vulnerability is successfully exploited, the susceptible system may be completely compromised.
Affected versions
Google Chrome versions before 98.0.4758.102 are affected by this vulnerability.
Adobe Commerce and Magento Open Source 2.3.3-p1-2.3.7-p2 and 2.4.0-2.4.3-p1 are affected by this vulnerability.
Mitigation
Google has launched Chrome 98.0.4758.102 for Windows, Mac, and Linux to mitigate this vulnerability. Fo. For more information, please refer to the Google Security Advisory.
Adobe has patched the vulnerability in versions after 2.3.7-p2 and 2.4.3-p1. Customers can refer to the Adobe Security Advisory for more information regarding this vulnerability.
Qualys Detection
Qualys customers can scan their devices with QIDs 376416 and 730359 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-zero-day-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/cisa-tells-federal-agencies-to-patch-actively-exploited-chrome-magento-bugs/
https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-