The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about an actively exploited zero-day vulnerability in Google’s Chrome browser.
Tracked as CVE-2022-1096, the high-severity security hole was identified in Chrome’s V8 JavaScript engine and impacts all Chromium-based browsers.
Google issued an emergency fix for this bug on Friday, and Microsoft followed suit the next day, updating its Chromium-based Edge browser.
CISA has added the zero-day to its Known Exploited Vulnerabilities Catalog alongside 31 other bugs, including a high-severity Redis Server flaw now exploited in botnet attacks.
Tracked as CVE-2022-0543, the issue is described as a Redis Lua sandbox escape and remote code execution vulnerability that exists because the Lua library in some Debian/Ubuntu packages is delivered as a dynamic library.
[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]
Researchers at network services provider Juniper say that the Muhstik malware has been exploiting the vulnerability in attacks since March 11. Previously, the botnet’s operators were observed targeting Confluence server, Log4j, and Oracle WebLogic vulnerabilities.
While several of the other vulnerabilities that CISA has just added to its Must Patch list were resolved in 2021, the remaining are older bugs, some addressed a decade ago.
CISA is giving federal agencies three weeks (until April 18) to apply patches for these vulnerabilities. However, the agency told SecurityWeek earlier this year that those who fail to meet the deadlines are not penalized. Instead, CISA provides assistance to organizations that cannot meet the deadlines.
The Known Exploited Vulnerabilities Catalog is primarily for federal agencies, but organizations of all types are encouraged to use it to improve their patching operations.
Related: CISA Adds 66 Vulnerabilities to ‘Must Patch’ List
Related: CISA Urges Organizations to Patch Recent Firefox Zero-Day