The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is mandating that federal agencies patch actively exploited vulnerabilities in Google Chrome and the Adobe Commerce and Magento platforms by March 1.
The agency added the two actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, along with seven other flaws. The catalog was introduced in November as a way to push federal civilian agencies to apply patches - like ones for the Log4j flaw - in “a more aggressive” timeline.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” according to CISA in its Tuesday alert.
One of the actively exploited vulnerabilities is a high-severity use-after-free flaw (CVE-2022-0609) in the Animation component of Google Chrome. In a Monday security advisory, Google said that it is aware of reports that an exploit for the flaw exists in the wild, and that a fix is available on version 98.0.4758.102 for Windows, Mac and Linux, which will roll out over the coming days. The flaw was discovered by Adam Weidemann and Clément Lecigne of Google's Threat Analysis Group earlier in February.
The other actively exploited flaw exists in Adobe’s Commerce platform and in Magento, an open-source platform that offers a hosted and self-hosted CMS for website shops. The issue stems from a critical improper validation vulnerability (CVE-2022-24086) that could lead to arbitrary code execution. Adobe said that the flaw has been exploited in the wild in “very limited attacks" targeting Adobe Commerce merchants.
“A remote and unauthorized attacker can send a malicious request to the application and execute arbitrary code on the target server,” said Pieter Arntz, malware intelligence researcher with Malwarebytes, in an analysis of the vulnerability. “Successful exploitation of this vulnerability may result in complete compromise of the affected system.”
Also added to CISA’s catalog are a number of older flaws, including Microsoft vulnerabilities in Internet Explorer (CVE-2019-0752), Windows VBScript Engine (CVE-2018-8174), Word (CVE-2014-1761) and the Graphics Component (CVE-2013-3906). Federal agencies have until August 15 to patch these vulnerabilities, but CISA hopes that the catalog will motivate enterprise organizations to apply the updates as well.
“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” according to CISA.