The US cybersecurity agency CISA on Wednesday raised the alarm on threat actors exploiting known vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail.
The GeoServer flaw, tracked as CVE-2022-24816 (CVSS score of 9.8), is described as a code injection flaw in the Jai-Ext open source project that could be exploited to achieve remote code execution.
The issue is related to the use of the scripting language Jiffle: Jiffle scripts are compiled into Java code via Janino, and then executed.
GeoServer version 1.2.22 was released in April 2022 with a patch that disabled the ability to inject malicious code into the resulting script.
Technical information on CVE-2022-24816 and proof-of-concept (PoC) exploit code have been available since August 2022.
Tracked as CVE-2022-2586 (CVSS score of 7.8), the Linux kernel flaw is a use-after-free issue in nft tables that could lead to privilege escalation.
“A nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted,” a NIST advisory reads.
The flaw was demonstrated at Pwn2Own Vancouver in May 2022 and was patched in early August that year. Three weeks later, the first technical details and PoC code targeting CVE-2022-2586 were published.
On Wednesday, CISA also warned of the exploitation of a four-year-old vulnerability in Roundcube Webmail versions before 1.4.5 and 1.3.12, tracked as CVE-2020-13965 (CVSS score of 6.1).
The vulnerability is described as a cross-site scripting (XSS) issue that can be triggered via malicious XML attachments, because the open source webmail software allows text/xml types for preview, which could lead to a bypass of script filters and arbitrary JavaScript code execution.
Roundcube released patches for the flaw in early June 2020 and PoC code was released shortly after.
CISA added all three security defects to its Known Exploited Vulnerabilities (KEV) catalog on June 26, urging federal agencies – per Binding Operational Directive (BOD) 22-01 – to apply the available mitigations or remove the vulnerable products from their environments by July 17.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
While BOD 22-01 only applies to federal agencies, all organizations using the vulnerable products are advised to address the flagged issues as soon as possible.
It is worth mentioning that, while PoC code targeting these flaws has been available for years, there have been no reports of any of them being exploited before CISA’s warning.
Related: CISA Warns of Progress Telerik Vulnerability Exploitation
Related: CISA Tells US Agencies to Patch Exploited Roundcube, VMware Flaws
Related: Truebot Hackers Exploiting Netwrix Auditor Flaw: CISA, FBI Alert
Related: CISA Notifies Hitachi Energy Customers of High-Severity Vulnerabilities
