Details of Newly Added Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog to include critical vulnerabilities affecting several widely used software products. This update highlights the importance of vigilance in cybersecurity practices, particularly for organizations relying on these technologies.
The vulnerabilities now included in the catalog are as follows:
- CVE-2024-27348: Apache HugeGraph-Server Improper Access Control Vulnerability
- CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
- CVE-2019-1069: Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
- CVE-2022-21445: Oracle JDeveloper Remote Code Execution Vulnerability
- CVE-2020-14644: Oracle WebLogic Server Remote Code Execution Vulnerability
Among these, the CVE-2022-21445 vulnerability, which carries a CVSS score of 9.8, poses a significant risk. It allows unauthenticated attackers with network access via HTTP to exploit the flaw in Oracle JDeveloper, potentially leading to a complete takeover of the application. This vulnerability affects versions 12.2.1.3.0 and 12.2.1.4.0 and is noted for its ease of exploitation.
Similarly, the CVE-2020-14644 vulnerability, also rated at 9.8, impacts Oracle WebLogic Server. An attacker could exploit this remote code execution issue via IIOP, compromising the server and gaining control over it. This vulnerability affects versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, and is likewise easily exploitable.
Additionally, the CVE-2019-1069 vulnerability, with a CVSS score of 7.8, relates to an elevation of privilege in the Microsoft Windows Task Scheduler. This flaw allows an attacker to gain elevated privileges on a victim system, provided they have unprivileged code execution capabilities. Disclosed by researcher SandboxEscaper in June, Microsoft addressed this issue promptly with security updates.
The CVE-2020-0618 vulnerability, also scoring 7.8, affects Microsoft SQL Server Reporting Services. It arises from improper handling of page requests, enabling remote attackers to execute arbitrary code through a memory corruption flaw.
Lastly, the CVE-2024-27348 vulnerability in Apache HugeGraph-Server, rated at 9.8, allows attackers to bypass sandbox restrictions and potentially execute remote code. This issue affects versions from 1.0.0 up to but not including 1.3.0 in Java8 and Java11.
In accordance with the Binding Operational Directive (BOD) 22-01, which focuses on reducing the risks associated with known exploited vulnerabilities, federal agencies are mandated to address these identified vulnerabilities by October 9, 2024. Experts also advise private organizations to review the KEV catalog and take necessary actions to fortify their infrastructure against these threats.