[TheRecord] CISA creates catalog of known exploited vulnerabilities, orders agencies to patch

The US Cybersecurity and Infrastructure Security Agency has established today a public catalog of vulnerabilities known to be exploited in the wild and has issued a binding operational directive ordering US federal agencies to patch affected systems within specific timeframes and deadlines.

The catalog —available online here— currently lists 306 vulnerabilities, with some as old as 2010, that are still being exploited in the wild.

This includes vulnerabilities for products from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM, and many other companies, small and large alike.

For the vulnerabilities disclosed this year (with a CVE code of CVE-2021-*****), CISA has ordered US federal civilian agencies to apply patches by November 17, 2021.

For older vulnerabilities, agencies have to patch systems by May 3, 2022.

“These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents,” CISA said in a binding operational directive today.

In a tweet today announcing the agency’s new effort, CISA Director Jen Easterly said that while the binding operational directive is can only force US federal agencies to take action, all organizations should take action and patch the listed vulnerabilities, as the same exploits are also used to attack private entities as well.

The BOD applies to federal civilian agencies; however, ALL organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations: https://t.co/Urafj9lYmh

— Jen Easterly (@CISAJen) November 3, 2021

In a press release, CISA also said they plan to add new entries to the database as new vulnerabilities come under active exploitation.

An RSS feed was provided for this purpose—to allow IT and security teams to keep an eye on new entries to the database.

The post CISA creates catalog of known exploited vulnerabilities, orders agencies to patch appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] WhatsApp Photo Filter Bug Could Have Exposed Your Data to Remote Attackers

All posts, HackerNews

A now-patched high-severity security vulnerability in WhatApp’s image filter feature could have been abused to send a malicious image over the messaging app to read sensitive information from the app’s memory. Tracked as CVE-2020-1910 (CVSS score: 7.8), the flaw concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the […]

Read More

[ThreatPost] SonicWall Warns Firewall Hardware Bugs Under Attack

All posts, ThreatPost

SonicWall issued an urgent security alert warning customers that some of its current and legacy firewall appliances were under active attack. Source: Read More (Threatpost)

Read More

[HackerNews] 4 Major Privacy and Security Updates From Google You Should Know About

All posts

Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings. “Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap […]

Read More