April 14, 2022
Microsoft Patches 2 0-Days & 47 RCE Vulnerabilities, Google Patches 5 Chrome RCEs, Apache Patches RCE in ‘Struts 2’
Microsoft Patches 2 0-Days & 47 RCE Vulnerabilities
As part of April’s monthly security rollup updates, Microsoft has patched 2 0-Day and 47 Remote Code Execution vulnerabilities.
Overall, Microsoft has patched 119 vulnerabilities across Windows, Windows Server, Hyper-V, Azure, Office and others.
The Zero-Day Vulnerabilities
- CVE-2022-26904 (CVSS 3.1: 7.0, High Severity) – Windows User Profile Service Elevation of Privilege Vulnerability.
- CVE-2022-24521 (CVSS 3.1: 7.8, High Severity) – Windows Common Log File System Driver Elevation of Privilege Vulnerability
For the full patched vulnerabilities list, including the 47 RCEs, visit Microsoft April 2022 Security Updates.
CYREBRO recommends implementing the latest available Microsoft security/monthly rollup updates in all relevant systems as soon as possible.
References: Microsoft February 2022 Security Updates.
Google Patches 5 RCEs in Chrome
Google has updated Chrome, patching 5 remote code execution vulnerabilities and 11 vulnerabilities overall.
The updated version is 100.0.4896.88 for Windows, Mac and Linux.
The RCE Vulnerabilities
- CVE-2022-1305, High Severity – Use after free in storage.
- CVE-2022-1308, High Severity – Use after free in ‘BFCache’.
- CVE-2022-1310, High Severity – Use after free in regular expressions.
- CVE-2022-1311, High Severity – Use after free in Chrome OS shell.
- CVE-2022-1312, High Severity – Use after free in storage.
Exploiting any of these vulnerabilities may lead to remote code execution on the target system.
- Chrome for Windows, Mac and Linux prior to version 100.0.4896.88.
CYREBRO recommends updating your browser to the latest Chrome version, 100.0.4896.88 for Windows, Mac and Linux.
References: Google Advisory.
Apache Patches RCE in Struts 2
Apache has patched a remote code execution vulnerability in Struts 2.
Apache Struts 2 is an open-source web application framework for developing Java EE web applications.
- CVE-2021-31805 (CVSS 3.1: 8.5, High Severity) – Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to remote code execution.
- Apache Struts 2.0.0 – 2.5.29 (patched in 2.5.30).
CYREBRO recommends that those who are using Struts 2, upgrade to Struts 2.5.30 or greater version.
If mitigation currently cannot be applied, do not use forced OGNL evaluation in the tag’s attributes based on untrusted/unvalidated user input.
References: Apache Advisory