The U.S. Cybersecurity & Infrastructure Safety Company has added to its catalog of identified exploited vulnerabilities (KEV) three security points that have an effect on Microsoft units, a Sophos product, and an enterprise answer from Oracle.
The KEV catalog accommodates flaws confirmed to be exploited by hackers in assaults and serves as a repository for vulnerabilities that corporations throughout ought to deal with with precedence.
The company is urging federal businesses to use accessible security updates for the three points earlier than December 7. The three vulnerabilities are tracked as follows:
- CVE-2023-36584 – “Mark of the Net” (MotW) security function bypass on Microsoft Home windows.
- CVE-2023-1671 – Command injection vulnerability in Sophos Net Equipment permitting distant code execution (RCE).
- CVE-2020-2551 – Unspecified vulnerability in Oracle Fusion Middleware, permitting an unauthenticated attacker with community entry through IIOP to compromise the WebLogic server.
Microsoft addressed CVE-2023-36584 within the October 2023 Patch Tuesday bundle of security updates. Nonetheless, it wasn’t flagged as actively exploited within the disclosure and on the time of writing it is nonetheless marked as non exploited.
The important flaw in Sophos Net Equipment, mounted on April 4, 2023, is recognized as CVE-2023-1671 and has a severity rating of 9.8. It could result in distant code execution (RCE) and impacts variations of the software program earlier than 4.3.10.4.
It’s price noting that Sophos Net Equipment reached end-of-life on July 20 and now not receives any kind of updates. The corporate notified clients that they need to migrate to Sophos Firewall net safety.
Though CISA’s KEV catalog is principally aimed toward federal businesses within the U.S. corporations internationally are suggested to make use of it as an alert system for exploited vulnerabilities and take the required steps to replace their methods or apply vendor-recommended mitigations.
Replace 11/17 – A Sophos spokesperson has reached out to share the next clarification about CVE-2023-1671:
Greater than six months in the past, on April 4, 2023, we launched an automated patch to all Sophos Net Home equipment, as famous within the Safety Advisory on our Belief Middle, and in July 2023, we’ve phased out Sophos Net Equipment as beforehand deliberate.
We admire CISA’s discover for any of the small variety of remaining Sophos Net Equipment customers who turned off auto-patch and/or missed our ongoing updates, and suggest they improve to Sophos Firewall for optimum community security transferring ahead.
