June 27, 2024 at 08:33AM
CISA has warned about threat actors exploiting vulnerabilities in GeoServer, Linux kernel, and Roundcube Webmail. GeoServer flaw (CVE-2022-24816) allows code injection and remote code execution. Linux kernel flaw (CVE-2022-2586) may lead to privilege escalation. Roundcube Webmail (CVE-2020-13965) has a cross-site scripting issue. CISA urges action to mitigate risks. No prior exploitation reported.
Based on the meeting notes, the CISA raised an alert about threat actors exploiting known vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail.
The GeoServer flaw known as CVE-2022-24816 was described as a code injection flaw in the Jai-Ext open source project, allowing remote code execution. A patch has been released for GeoServer version 1.2.22 in April 2022 to address this issue.
The Linux kernel flaw, tracked as CVE-2022-2586, is a use-after-free issue in nft tables that could lead to privilege escalation. This flaw was demonstrated at Pwn2Own Vancouver in May 2022 and was patched in early August of the same year.
The Roundcube Webmail vulnerability, tracked as CVE-2020-13965, is a cross-site scripting (XSS) issue that can be triggered via malicious XML attachments, allowing for arbitrary JavaScript code execution. Roundcube released patches for this flaw in June 2020.
CISA added all three security defects to its Known Exploited Vulnerabilities (KEV) catalog on June 26 and urged federal agencies to apply the available mitigations or remove the vulnerable products from their environments by July 17.
It’s important to note that while proof-of-concept (PoC) code targeting these flaws has been available for years, there were no reports of any of them being exploited before CISA’s warning.