Source URL: https://www.cisa.gov/news-events/alerts/2024/11/21/cisa-adds-three-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Three Known Exploited Vulnerabilities to Catalog
Feedly Summary: CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability
CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability
CVE-2024-21287 Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability
Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012, the Palo Alto Security Bulletin for CVE-2024-0012, and the Palo Alto Security Bulletin for CVE-2024-9474 for additional information.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: The text discusses three new vulnerabilities added to the CISA’s Known Exploited Vulnerabilities Catalog, emphasizing their risks and providing guidance for timely remediation. This information is crucial for security professionals managing threats in their organizations, especially in compliance with regulations like BOD 22-01.
Detailed Description: The provided text delivers important insights regarding recent vulnerabilities recognized by CISA, specifically highlighting their potential impact on security practices within organizations. Here are the key points:
– **Vulnerabilities Listed**:
– CVE-2024-44308: Apple products have a code execution vulnerability.
– CVE-2024-44309: Apple products are susceptible to cross-site scripting (XSS) attacks.
– CVE-2024-21287: Oracle’s Agile PLM faces issues due to incorrect authorization vulnerabilities.
– **Threats and Risks**: These vulnerabilities are identified as common attack vectors for cybercriminals, significantly threatening the integrity of the federal enterprise and other organizations using affected products.
– **Palo Alto Threat Brief**: Users and administrators are advised to review related threat briefings and security bulletins for greater context and mitigation strategies, demonstrating the importance of staying informed about vulnerabilities.
– **Binding Operational Directive (BOD) 22-01**:
– It establishes the Known Exploited Vulnerabilities Catalog designed to help reduce the risks associated with actively exploited vulnerabilities.
– Mandates that Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities within specified timelines to ensure their networks are protected from active threats.
– **Broader Recommendations**: While BOD 22-01 applies specifically to federal agencies, CISA encourages all organizations to adopt best practices in vulnerability management, highlighting the need for proactive measures against cyberattacks.
Overall, this content highlights the intersection of vulnerability management, compliance, and cybersecurity practices. Security and compliance professionals must prioritize awareness and prompt remediation of these vulnerabilities to safeguard their systems against emerging threats.