The U.S. Cybersecurity & Infrastructure Security Agency has added to its catalog of known exploited vulnerabilities (KEV) three security issues that affect Microsoft devices, a Sophos product, and an enterprise solution from Oracle.
The KEV catalog contains flaws confirmed to be exploited by hackers in attacks and serves as a repository for vulnerabilities that companies all over should treat with priority.
The agency is urging federal agencies to apply available security updates for the three issues before December 7. The three vulnerabilities are tracked as follows:
- CVE-2023-36584 – "Mark of the Web" (MotW) security feature bypass on Microsoft Windows.
- CVE-2023-1671 – Command injection vulnerability in Sophos Web Appliance allowing remote code execution (RCE).
- CVE-2020-2551 – Unspecified vulnerability in Oracle Fusion Middleware, allowing an unauthenticated attacker with network access via IIOP to compromise the WebLogic server.
Microsoft addressed CVE-2023-36584 in the October 2023 Patch Tuesday bundle of security updates. However, it wasn't flagged as actively exploited in the disclosure and at the time of writing it's still marked as non exploited.
The critical flaw in Sophos Web Appliance, fixed on April 4, 2023, is identified as CVE-2023-1671 and has a severity score of 9.8. It can lead to remote code execution (RCE) and affects versions of the software before 4.3.10.4.
It is worth noting that Sophos Web Appliance reached end-of-life on July 20 and no longer receives any type of updates. The company notified customers that they should migrate to Sophos Firewall web protection.
Although CISA's KEV catalog is mainly aimed at federal agencies in the U.S. companies across the world are advised to use it as an alert system for exploited vulnerabilities and take the necessary steps to update their systems or apply vendor-recommended mitigations.
A Sophos spokesperson has reached out to share the following clarification about CVE-2023-1671:
More than six months ago, on April 4, 2023, we released an automatic patch to all Sophos Web Appliances, as noted in the Security Advisory on our Trust Center, and in July 2023, we've phased out Sophos Web Appliance as previously planned.We appreciate CISA's notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to Sophos Firewall for optimal network security moving forward.
by Sophos