Please see Security Advisories for the week ending January 7, 2022
- Google Releases Security Updates for Chrome
- VMware Releases Security Updates for multiple products
- Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
- CISA Adds 15 Known Exploited Vulnerabilities to Catalog
- WordPress Releases Security Update
_______________________________
Google Releases Security Updates for Chrome
Situation
Google has released Chrome version 97.0.4692.71 for Windows, Mac, and Linux
Problem
This update addresses a number of vulnerabilities such as use after free, inappropriate implementations, heap buffer overflows, type confusion, and more.
Implication
An attacker who is able to successfully exploit these vulnerabilities can allow them to take control of an affected system.
Need
Apply the latest update in Chrome.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2022/01/05/google-releases-security-updates-chrome
________________________________
VMware Releases Security Updates for multiple products
Situation
VMware has released security updates to address a vulnerability found in Workstation, Fusion, and ESXi.
Problem
The vulnerability found is a heap-overflow vulnerability (CVE-2021-22045) in the CD-ROM device emulation function. An attacker with access to a virtual machine that has CD-ROM device emulation enabled can chain this vulnerability with others to execute code on the hypervisor from a virtual machine.
Implication
An attacker who is able to successfully exploit this vulnerability can allow them to take control of an affected system.
Need
VMware recommends users and administrators to apply the latest patches to protect against this vulnerability. Additional information and workarounds can be found in the link below.
VMware security advisory:
https://www.vmware.com/security/advisories/VMSA-2022-0001.html
________________________________
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
Situation
Mozilla has released security updates for Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5 releases.
Proble
Mozilla has released fixes that addressed vulnerabilities such as Browser Window spoofing in full screen mode, out of bounds memory access in edit mode, heap buffer overflow when applying a CSS filter effect, race condition when playing audio files, iframe sandbox bypass with XSLT, Lack of URL restrictions when scanning QR codes, and potential local privilege escalation when loading modules from the install directory.
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the Mozilla security advisories for Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5 and apply the necessary updates.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/
________________________________
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
Situation
The CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of threat actors actively exploiting these vulnerabilities. These types of vulnerabilities are a frequent attack vector used by malicious cyber actors of all types and pose significant risk if left unpatched.
Problem
The vulnerabilities that were added to this report include a Google Chrome use-after-free vulnerability prior to 81.0.4044.92, Microsoft remote code execution vulnerability found in WinVerify Trust function, a PAN-OS remote code execution vulnerability, VMware vCenter Server improper access control, and others.
Implication
Failure to implement timely remediation of these cataloged vulnerabilities could leave an organizations exposed to potential cyberattacks.
Need
The CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
For a brief overview:
CISA Vulnerabilities to Catalog:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
________________________________
WordPress Releases Security Update
Situation
WordPress has released a security update addressing multiple vulnerabilities found in versions between 3.7 and 5.8.
Problem
The vulnerabilities addressed in the update include a stored cross-site scripting (XSS) vulnerability through post slugs function, a object injection in multisite installations, and two SQL injection vulnerability found in WP_Tax_Query and WP_Meta_Query functions..
Implication
An attacker who is able to successfully exploit some of these vulnerabilities could cause a denial of service condition.
Need
The CISA encourages users and administrators to review the WordPress’s Security Release and upgrade to WordPress 5.8.3.
WordPress’s Security Release:
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/