US CERT Current Activity
Critical RCE Vulnerability in Discourse
Oct 24, 2021
Original release date: October 24, 2021Discourse—an open source discussion platform—has released a security advisory to address a critical remote code execution (RCE) vulnerability (CVE-2021-41163) in Discourse versions 2.7.8 and earlier. CISA urges developers to update to patched versions 2.7.9 or later or apply the necessary workarounds. For more information, see RCE via malicious SNS subscription payload. This product is provided subject to this Notification and this Privacy & Use policy.
Malware Discovered in Popular NPM Package, ua-parser-js
Oct 22, 2021
Original release date: October 22, 2021Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 For more information, see Embedded malware in ua-parser-js. This product is provided subject to this Notification and this Privacy & Use policy.
GPS Daemon (GPSD) Rollover Bug
Oct 21, 2021
Original release date: October 21, 2021Critical Infrastructure (CI) owners and operators and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021). On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive. CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer. For more information, see Keeping Track of Time: Network Time Protocol and a GPSD Bug. This product is provided subject to this Notification and this Privacy & Use policy.
Cisco Releases Security Updates for IOS XE SD-WAN Software
Oct 21, 2021
Original release date: October 21, 2021Cisco has released security updates to address a vulnerability in IOS XE SD-WAN Software. An authenticated local attacker could exploit this vulnerability to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review Cisco Advisory cisco-sa-sd-wan-rhpbE34A and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Google Releases Security Updates for Chrome
Oct 20, 2021
Original release date: October 20, 2021Google has released Chrome version 95.0.4638.54 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary update as soon as possible. This product is provided subject to this Notification and this Privacy & Use policy.
Oracle Releases October 2021 Critical Patch Update
Oct 19, 2021
Original release date: October 19, 2021Oracle has released its Critical Patch Update for October 2021 to address 419 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Oracle October 2021 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware
Oct 18, 2021
Original release date: October 18, 2021CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA provides cyber actor tactics, techniques, and procedures and outlines mitigations to improve ransomware protection, detection, and response. To reduce the risk of BlackMatter ransomware, CISA, FBI, and NSA encourage organizations to implement the recommended mitigations in the joint CSA and visit StopRansomware.gov for more information on protecting against and responding to ransomware attacks. This product is provided subject to this Notification and this Privacy & Use policy.
Apache Releases Security Advisory for Tomcat
Oct 15, 2021
Original release date: October 15, 2021The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition. CISA encourages users and administrators to review Apache’s security advisory for CVE-2021-42340 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities
Oct 14, 2021
Original release date: October 14, 2021CISA, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to U.S. Water and Wastewater Systems (WWS) Sector. This activity—which includes cyber intrusions leading to ransomware attacks—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. The joint CSA provides extensive mitigations and resources to assist WWS Sector facilities in strengthening operational resilience and cybersecurity practices. CISA has also released a Cyber Risks & Resources for the Water and Wastewater Systems Sector infographic that details both information technology and operational technology risks the WWS Sector faces and provides select resources. This product is provided subject to this Notification and this Privacy & Use policy.
Juniper Networks Releases Security Updates for Multiple Products
Oct 14, 2021
Original release date: October 14, 2021Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft Releases October 2021 Security Updates
Oct 12, 2021
Original release date: October 12, 2021Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s October 2021 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Adobe Releases Security Updates for Multiple Products
Oct 12, 2021
Original release date: October 12, 2021Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: APSB21-104 Acrobat and Reader APSB21-91 Connect APSB21-89 Reader Mobile APSB21-88 ops-cli APSB21-86 Commerce APSB21-52 Campaign Standard This product is provided subject to this Notification and this Privacy & Use policy.
Apple Releases Security Update to Address CVE-2021-30883
Oct 12, 2021
Original release date: October 12, 2021Apple has released a security update to address a vulnerability—CVE-2021-30883—in multiple products. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability has been detected in exploits in the wild. CISA encourages users to review the Apple security page for iOS 15.0.2 and iPadOS 15.0.2 and apply the necessary updates as soon as possible. This product is provided subject to this Notification and this Privacy & Use policy.
Google Releases Security Updates for Chrome
Oct 12, 2021
Original release date: October 12, 2021Google has updated the Stable channel to 94.0.4606.81 for Windows, Mac and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
NSA Releases Guidance on Avoiding the Dangers of Wildcard TLS Certificates and ALPACA Techniques
Oct 8, 2021
Original release date: October 8, 2021The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance to help secure the Department of Defense, National Security Systems, and Defense Industrial Base organizations from poorly implemented wildcard Transport Layer Security (TLS) certificates and the exploitation of Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). A malicious cyber actor with network access can exploit this vulnerability to access sensitive information. CISA encourages administrators and users to review NSA's CSI sheet on Avoiding Dangers of Wildcard TLS Certificates and the ALPACA Technique for more information. This product is provided subject to this Notification and this Privacy & Use policy.
Apache Releases HTTP Server version 2.4.51 to Address Vulnerabilities Under Exploitation
Oct 7, 2021
Original release date: October 7, 2021On October 7, 2021, the Apache Software Foundation released Apache HTTP Server version 2.4.51 to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50. These vulnerabilities have been exploited in the wild. CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to patch immediately if they haven’t already—this cannot wait until after the holiday weekend. This product is provided subject to this Notification and this Privacy & Use policy.
Cisco Releases Security Updates for Multiple Products
Oct 7, 2021
Original release date: October 7, 2021Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: Cisco Web Security Appliance Proxy Service Denial of Service Vulnerability cisco-sa-wsa-dos-fmHdKswk Cisco Intersight Virtual Appliance Command Injection Vulnerability cisco-sa-ucsi2-command-inject-CGyC8y2R Cisco Small Business 220 Series Smart Switches Link Layer Discovery Protocol Vulnerabilities cisco-sa-sb220-lldp-multivuls-mVRUtQ8T Cisco Identity Services Engine Privilege Escalation Vulnerability cisco-sa-ise-priv-esc-UwqPrBM3 Cisco ATA 190 Series Analog Telephone Adapter Software Vulnerabilities cisco-sa-ata19x-multivuln-A4J57F3 Cisco AnyConnect Secure Mobility Client for Linux and Mac OS with VPN Posture (HostScan) Module Shared Library Hijacking Vulnerability cisco-sa-anyconnect-lib-hija-cAFB7x4q This product is provided subject to this Notification and this Privacy & Use policy.
CISA Releases Guidance: TIC 3.0 Remote User Use Case
Oct 7, 2021
Original release date: October 7, 2021In coordination with the Office of Management and Budget (OMB), the Federal Chief Information Security Officer Council (FCISO) Trusted Internet Connections (TIC) Subcommittee, and the General Services Administration, CISA has released Trusted Internet Connections 3.0 Remote User Use Case. The Remote User Use Case provides federal agencies with guidance on applying network and multi-boundary security for agencies that permit remote users on their networks. In accordance with OMB Memorandum M-19-26, this use case builds off TIC 3.0 Interim Telework Guidance originally released in Spring 2020. The TIC 3.0 Remote User Use Case considers additional security patterns agencies may face with remote users and includes four new security capabilities: User Awareness and Training, Domain Name Monitoring, Application Container, and Remote Desktop Access. In conjunction with the Remote User Use Case, CISA has also released Response to Comments on TIC 3.0 Remote User Use Case and the Pilot Process Handbook. These additional documents provide feedback on the Remote User Use Case and describes the process by which agencies should conduct TIC 3.0 pilots. CISA encourages all federal government agencies and organizations to review the TIC 3.0 Remote User Use Case and visit the CISA TIC page for updates and additional information on the TIC program. This product is provided subject to this Notification and this Privacy & Use policy.
Mozilla Releases Security Updates for Firefox and Firefox ESR
Oct 6, 2021
Original release date: October 6, 2021Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR . An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla security advisories for Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2. This product is provided subject to this Notification and this Privacy & Use policy.
Apache Releases Security Update for Apache HTTP Server
Oct 6, 2021
Original release date: October 6, 2021The Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. One vulnerability, CVE-2021-41773, has been exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache HTTP Server 2.4.50 vulnerabilities page and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.
