The U.S. Cybersecurity & Infrastructure Safety Company has added to its catalog of recognized exploited vulnerabilities (KEV) three safety points that have an effect on Microsoft gadgets, a Sophos product, and an enterprise answer from Oracle.
The KEV catalog comprises flaws confirmed to be exploited by hackers in assaults and serves as a repository for vulnerabilities that firms throughout ought to deal with with precedence.
The company is urging federal businesses to use obtainable safety updates for the three points earlier than December 7. The three vulnerabilities are tracked as follows:
- CVE-2023-36584 – “Mark of the Internet” (MotW) safety function bypass on Microsoft Home windows.
- CVE-2023-1671 – Command injection vulnerability in Sophos Internet Equipment permitting distant code execution (RCE).
- CVE-2020-2551 – Unspecified vulnerability in Oracle Fusion Middleware, permitting an unauthenticated attacker with community entry through IIOP to compromise the WebLogic server.
Microsoft addressed CVE-2023-36584 within the October 2023 Patch Tuesday bundle of safety updates. Nonetheless, it wasn’t flagged as actively exploited within the disclosure and on the time of writing it is nonetheless marked as non exploited.
The crucial flaw in Sophos Internet Equipment, mounted on April 4, 2023, is recognized as CVE-2023-1671 and has a severity rating of 9.8. It may possibly result in distant code execution (RCE) and impacts variations of the software program earlier than 4.3.10.4.
It’s price noting that Sophos Internet Equipment reached end-of-life on July 20 and not receives any kind of updates. The corporate notified clients that they need to migrate to Sophos Firewall net safety.
Though CISA’s KEV catalog is especially aimed toward federal businesses within the U.S. firms the world over are suggested to make use of it as an alert system for exploited vulnerabilities and take the mandatory steps to replace their techniques or apply vendor-recommended mitigations.
Replace 11/17 – A Sophos spokesperson has reached out to share the next clarification about CVE-2023-1671:
Greater than six months in the past, on April 4, 2023, we launched an computerized patch to all Sophos Internet Home equipment, as famous within the Safety Advisory on our Belief Heart, and in July 2023, we’ve phased out Sophos Internet Equipment as beforehand deliberate.
We recognize CISA’s discover for any of the small variety of remaining Sophos Internet Equipment customers who turned off auto-patch and/or missed our ongoing updates, and suggest they improve to Sophos Firewall for optimum community safety transferring ahead.
