On September 19, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog by adding several critical security vulnerabilities affecting major software products, including Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server. These vulnerabilities have been actively exploited and pose a significant risk to organizations if left unpatched.
What is the CISA Known Exploited Vulnerabilities Catalog?
The Known Exploited Vulnerabilities (KEV) catalog is a list maintained by CISA to help organizations identify and address vulnerabilities that are actively being exploited in the wild. Under Binding Operational Directive (BOD) 22-01, federal agencies are required to remediate vulnerabilities from this catalog by specified deadlines to protect their networks from attacks. Private organizations are also encouraged to regularly review the catalog and apply fixes to secure their infrastructures against these critical threats.
Vulnerabilities Added to the Catalog
1. CVE-2024-27348: Apache HugeGraph-Server Improper Access Control Vulnerability
- Product: Apache HugeGraph-Server (affects versions from 1.0.0 to before 1.3.0 in Java 8 and Java 11)
- Impact: This vulnerability allows for remote command execution, bypassing sandbox restrictions, and potentially enabling attackers to execute arbitrary code on the system. HugeGraph-Server, used for graph database applications, is popular in data-driven organizations for tasks like fraud detection, recommendation systems, and network analysis.
2. CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
- Product: Microsoft SQL Server Reporting Services
- Impact: This flaw allows remote attackers to execute arbitrary code by exploiting a memory corruption issue in how page requests are handled. SQL Server is widely used in enterprise environments for data management and business intelligence. Unpatched systems risk complete takeover, jeopardizing sensitive data stored in databases.
3. CVE-2019-1069: Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
- Product: Microsoft Windows Task Scheduler
- Impact: This vulnerability involves a flaw in how the Task Scheduler validates file operations, potentially allowing an attacker to gain elevated privileges. Windows Task Scheduler is a critical system utility, and exploitation of this flaw could allow attackers to execute commands with administrator-level access, compromising the entire system.
4. CVE-2022-21445: Oracle JDeveloper Remote Code Execution Vulnerability
- Product: Oracle JDeveloper (versions 12.2.1.3.0 and 12.2.1.4.0)
- Impact: A remote code execution vulnerability in Oracle JDeveloper, part of Oracle Fusion Middleware, allows unauthenticated attackers with network access via HTTP to exploit this flaw. Successful exploitation can result in the complete takeover of Oracle JDeveloper instances, which are used by developers to build and deploy enterprise applications.
5. CVE-2020-14644: Oracle WebLogic Server Remote Code Execution Vulnerability
- Product: Oracle WebLogic Server (versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0)
- Impact: This flaw allows attackers to execute remote code by exploiting a vulnerability in Oracle WebLogic Server, used to deploy and manage enterprise-level applications. WebLogic Server is part of Oracle Fusion Middleware and is widely used in large organizations for mission-critical applications. A successful attack could result in complete control of the server.
Breakdown of Affected Products and Their Users
- Apache HugeGraph-Server:
- Users: Primarily used by data scientists, analysts, and organizations dealing with big data for graph-based database applications, such as social networks, fraud detection, and recommendation engines. The product’s vulnerability allows attackers to execute arbitrary commands, posing a risk to sensitive data stored in these environments.
- Microsoft SQL Server Reporting Services:
- Users: Commonly used by large enterprises for report generation and business intelligence. The vulnerability exposes organizations to potential data theft and server compromise, impacting critical business functions.
- Microsoft Windows Task Scheduler:
- Users: Used across all Windows environments, particularly by system administrators for scheduling and automating tasks. This privilege escalation flaw could give attackers unauthorized access to sensitive systems, allowing them to execute commands with elevated privileges.
- Oracle JDeveloper:
- Users: Primarily used by software developers to build Java-based enterprise applications within Oracle Fusion Middleware. The vulnerability could allow remote attackers to take over JDeveloper environments, posing significant risks to software development pipelines.
- Oracle WebLogic Server:
- Users: WebLogic is widely used by large organizations and government agencies for deploying enterprise applications. A remote code execution flaw here could result in attackers gaining control of application servers, potentially leading to data breaches or denial of service attacks.
Actions Required and Deadlines
CISA has issued directives to federal agencies requiring them to address these vulnerabilities by October 9, 2024, to prevent attackers from exploiting these flaws. Although federal agencies are mandated to comply, private organizations are also strongly advised to review the Known Exploited Vulnerabilities catalog and patch their systems accordingly to protect their infrastructure.
The inclusion of these vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog reflects the significant threat posed by flaws in widely-used software products such as Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, and SQL Server. Organizations relying on these tools must urgently patch their systems to avoid falling victim to potentially devastating attacks. CISA’s October 9, 2024 deadline for remediation underscores the critical nature of these vulnerabilities.