Read Time:5 Minute, 10 Second

Among the thousands of vulnerabilities disclosed so far in 2022, we highlight five and explain why they matter.

With over 6,000 vulnerabilities disclosed this year, cyber security teams have faced, as usual, a challenge to keep up, especially as a number of these software bugs have captured significant media attention. In this article, we’ll provide guidance and clarity on five vulnerabilities to help you better understand why they had an impact and why they all should be on your radar screen. As you will read, these vulnerabilities share common traits, and a closer examination of them offers insights into the breadth and depth of the current vulnerability landscape.

CVE

Description

VPR*

CVE-2022-1096

Google Javascript V8 Chrome engine Vulnerability

9.6

CVE-2022-0847

Linux Kernel Vulnerability

9.8

CVE-2022-26809

Zero-click – Microsoft RPC Vulnerability

9.6

CVE-2022-22965

Spring4Shell – Spring Core Framework Vulnerability

9.7

CVE-2022-1388

F5 BIG-IP Vulnerability

9.6

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on DATE and reflects VPR at that time.

CVE-2022-1096 | Google Chrome

Tags: ahead of NVD coverage, zero-day vulnerability

On March 23, Google announced a zero-day vulnerability in the Google JavaScript V8 Chrome engine potentially impacting billions of users.

Reserved with the CVE-2022-1096 identifier on the National Vulnerability Database (NVD), it is a type-confusion vulnerability affecting Chrome’s core.

As Google reported, it has been confirmed that this security flaw is being exploited in the wild. Upon successful exploitation, the security flaw allows attackers to execute arbitrary code on the affected asset.

Although the vulnerability was disclosed, its details haven’t yet been published in the NVD. Tenable provided Nessus plugin coverage as of March 25.

Exploitation and how Tenable helps

As of today, there are no public proof of concept (PoC) exploits available, although the vulnerability is being exploited in the wild. Google released an emergency update with a security fix in Chrome 99.0.4844.84. A patch is also available for Chromium-based Microsoft Edge. Other Chromium-based browsers include Opera, Samsung Internet and Amazon Silk.

CVE-2022-0847 | Linux Kernel

Tags: ahead of NVD coverage

Discovered on February 20 and reserved in the NVD as CVE-2022-0847, this vulnerability also known as Dirty Pipe affects the Linux kernel 5.8, and allows attackers to overwrite data in arbitrary read-only files upon successful exploitation.

Although it was disclosed in the NVD on March 10, Tenable provided plugin coverage as of March 7.

Exploitation and how Tenable helps

Exploitation for this vulnerability is known, with a PoC released on the same day of the vulnerability’s discovery. A patch is available for this vulnerability.

CVE-2022-26809 | Microsoft

Tags: ahead of NVD coverage, zero-click

With more than a million potentially impacted machines, this vulnerability is likely eliciting bad WannaCry memories among many security teams.

On April 12, Microsoft announced a remote code execution (RCE) vulnerability affecting Microsoft RPC. Reserved as CVE-2022-26809 in the NVD, this vulnerability, known as “Zero Click,” allows an unauthenticated, remote attacker to perform a remote code execution by sending “a specially crafted RPC call to an RPC host.”

The vulnerability was added to the NVD on April 15. Tenable provided plugin coverage on April 12.

Exploitation and how Tenable helps

On April 20, Microsoft provided guidance for mitigation. A patch is available for this vulnerability. For more information on this vulnerability and Tenable support, check out our Microsoft Patch Tuesday alert from Tenable Research.

CVE-2022-22965 | Spring Core Framework

Tags: ahead of NVD coverage, zero-day vulnerability

Discovered on March 30, this vulnerability is better known as Spring4Shell. Reserved as CVE-2022-22965 in the NVD, it is an RCE vulnerability affecting the Spring Core Framework.

It was disclosed in the NVD on April 1st. Tenable provided plugin coverage as of March 31.

Exploitation and how Tenable helps

Exploit for this vulnerability is known and there’s a patch available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team.

CVE-2022-1388 | F5 BIG-IP

Tags: CISA-Known Exploit, Exploited in the wild

Announced on May 4 and reserved as CVE-2022-1388 in the NVD, this authentication bypass vulnerability affects the REST component of BIG-IP’s iControl API. This vulnerability allows undisclosed requests to possibly bypass iControl REST authentication.

Exploitation and how Tenable helps

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited vulnerabilities. A list of Tenable plugins to identify this vulnerability can be found here. A patch is available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team.

Conclusion

This article provided awareness of some critical vulnerabilities that security teams should have pinned on their maps, as they pursue proper and proactive cyber hygiene in their IT environments.

These five vulnerabilities are admittedly only the tip of the overall vulnerabilities iceberg, but they represent the variety of challenges and complexities in the current vulnerability landscape. They are examples of critical vulnerabilities that a proactive security team must be aware of and prepared for so that they can protect their organizations from attacks that try to exploit these vulnerabilities.

It is worth mentioning how Tenable provided plugin coverage ahead of NVD coverage for most of the highlighted vulnerabilities. To shed some light on the area: the process of defining vulnerabilities in the NVD can be a lengthy one due to its by-design formalization rules. At Tenable, we aim to offer a proactive approach to vulnerability management and fast-response detection and we advise that you do too.

Learn More

Download Tenable’s 2021 Threat Landscape Retrospective
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Read the blogs:

https://www.tenable.com/blog/the-2021-threat-landscape-retrospective-targeting-the-vulnerabilities-that-matter-most
https://www.tenable.com/blog/behind-the-scenes-how-we-picked-2021s-top-vulnerabilities-and-what-we-left-out

Follow our Cyber Exposure Alerts

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

FCC $200m Cyber Grant Pilot Opens Applications for Schools and Libraries

Cryptojacking Gang TeamTNT Makes a Comeback

Insecure APIs and Bot Attacks Cost Global Firms $186bn

Smashing Security podcast #385: TFL security derailed, and is Trump the king of crypto?

So Many CVEs, So Little Time: Zero In and ‘Zero Click’ into the Current Vulnerability Landscape

CVE-2022-1096 | Google Chrome

Exploitation and how Tenable helps

CVE-2022-0847 | Linux Kernel

Exploitation and how Tenable helps

CVE-2022-26809 | Microsoft

Exploitation and how Tenable helps

CVE-2022-22965 | Spring Core Framework

Exploitation and how Tenable helps

CVE-2022-1388 | F5 BIG-IP

Exploitation and how Tenable helps

Conclusion

Learn More

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

FCC $200m Cyber Grant Pilot Opens Applications for Schools and Libraries