Pierluigi Paganini May 02, 2023

US Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link, Apache, and Oracle vulnerabilities to its Known Exploited Vulnerabilities catalog.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three new issues to its Known Exploited Vulnerabilities Catalog:

CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX-21 Command Injection Vulnerability. The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.

The vulnerability was first reported to ZDI during the Pwn2Own Toronto 2022 event. Working exploits for LAN and WAN interface accesses were respectively reported by Team Viettel and Qrious Security. 

The Zero Day Initiative (ZDI) threat-hunting team recently reported that the Mirai botnet attempting to exploit the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451, CVSS v3: 8.8) in TP-Link Archer AX21 Wi-Fi routers.

CVE-2021-45046 (CVSS score: 9.0) – Apache Log4j2 deserialization of untrusted data vulnerability. Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

CVE-2023-21839 (CVSS score: 7.5) – Oracle WebLogic Server Unspecified Vulnerability. Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by May 22, 2023.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)