CISA adds Log4Shell Log4j flaw to the Known Exploited Vulnerabilities Catalog

The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including recently disclosed Apache Log4Shell Log4j and Fortinet FortiOS flaws.

Below is the list of new vulnerabilities added to the Known Exploited Vulnerabilities Catalog, which is the list of issues frequently used as attack vector by threat actors in the wild and that pose significant risk to the federal enterprise.

CVE Number	CVE Title	Remediation Due Date
CVE-2021-44228	Apache Log4j2 Remote Code Execution Vulnerability	12/24/2021
CVE-2021-44515	Zoho Corp. Desktop Central Authentication Bypass Vulnerability	12/24/2021
CVE-2021-44168	Fortinet FortiOS Arbitrary File Download Vulnerability	12/24/2021
CVE-2021-35394	Realtek Jungle SDK Remote Code Execution Vulnerability	12/24/2021
CVE-2020-8816	Pi-Hole AdminLTE Remote Code Execution Vulnerability	6/10/2022
CVE-2020-17463	Fuel CMS SQL Injection Vulnerability	6/10/2022
CVE-2019-7238	Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability	6/10/2022
CVE-2019-13272	Linux Kernel Improper Privilege Management Vulnerability	6/10/2022
CVE-2019-10758	MongoDB mongo-express Remote Code Execution Vulnerability	6/10/2022
CVE-2019-0193	Apache Solr DataImportHandler Code Injection Vulnerability	6/10/2022
CVE-2017-17562	Embedthis GoAhead Remote Code Execution Vulnerability	6/10/2022
CVE-2017-12149	Red Hat Jboss Application Server Remote Code Execution Vulnerability	6/10/2022
CVE-2010-1871	Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability	6/10/2022

The CVE-2021-44228 flaw made the headlines last week, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.

The impact of the issue is devastating, thousands of organizations worldwide are potentially exposed to attacks and security experts are already reported exploitation attempts in the wild.

CISA also warns of a recently disclosed arbitrary file download vulnerability in FortiOS, tracked as CVE-2021-44168, that is actively exploited.

“A download of code without integrity check vulnerability [CWE-494] in the “execute restore src-vis” command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.” reads the advisory published by Fortinet. “Fortinet is aware of an instance where this vulnerability was abused and recommends immediately validating your systems for indicators of compromise”

Other flaws added to the catalog affects Fuel CMS, Pi-Hole AdminLTE, Realtek Jungle SDK, Sonatype Nexus, Linux Kernel, MongoDB, Apache Solr, Embedthis GoAhead, and Red Hat Jboss.

Early December, CISA also updated its catalog of actively exploited vulnerabilities recommending federal agencies to address the flaws in Qualcomm, Mikrotik, Zoho and the Apache Software Foundation software within specific timeframes and deadlines. The US agency also warns of risk to the federal enterprise for delaying to address these vulnerabilities.

Under Binding Operational Directive (BOD) 22-01, federal organizations are required to address the the vulnerabilities in the catalog as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4shell)

[adrotate banner=”5″]

[adrotate banner=”13″]