IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CISA updates must-patch bug list for federal agencies

Latest collection includes bugs up to seven years old that are still exploited in the wild

Abstract image showing a padlock and broken glass superimposed over a US flag to symbolise national cyber security

The US domestic cyber security agency has added another 15 vulnerabilities to a list of must-patch bugs for federal agencies.

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) added the bugs to its Catalog of Known Exploited Vulnerabilities. This list includes bugs that have been exploited in the wild and for which a patch is available.

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

This week's additions to the list include vulnerabilities dating back seven years, spanning products from Microsoft Office through to D-Link routers and Oracle WebLogic. It includes four bugs rated as critical under version 3 of the Common Vulnerability Scoring System (CVSS), which scores vulnerabilities based on their severity.

The four critical bugs include CVE 2020-0768, a remote code execution vulnerability in Microsoft SMBv3, which scored a maximum 10. Another bug in the Jenkins DevOps automation server, CVE-2018-100861, earned a 9.8.

The two other critical vulnerabilities lay in the Apache project's ActiveMQ message broker and Struts framework for developing Java EE applications.

The rest of the security flaws had a high severity classification, either under CVSS 3 or in some cases, for older bugs, under version 2.

All of the vulnerabilities had a patch deadline of August this year, aside from CVE-2021-36934, a privilege escalation vulnerability in Microsoft Windows Security Accounts Manager (SAM). CISA deemed this more urgent, with a patch deadline of Feb 24. This bug, disclosed publicly in July 2021, is rated as 7.8 (high severity) in CVSS 3. It allows attackers to use overly permissive access control lists (ACLs) on system files including the SAM database.

They can use this to run their own code with system-level privileges.

CISA created the Catalog of Known Exploited Vulnerabilities as part of November 2021's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. All civil federal agencies must patch these bugs, but the agency also recommends that other government agencies use the list to shore up their defences.

The agency has been busy adding bugs to the list. These 15 additions bring those added since Jan 10 to 56. There are 367 vulnerabilities in the catalog as of this week.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022