January 3, 2024 at 07:58AM
The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first vulnerability, CVE-2023-7101, affects the Spreadsheet::ParseExcel library, allowing remote code execution. The second vulnerability, CVE-2023-7024, is a heap buffer overflow issue in WebRTC in Google Chrome. Federal agencies have until January 23 to mitigate these vulnerabilities.
Based on the meeting notes, the key takeaways are as follows:
1. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to the Known Exploited Vulnerabilities catalog. These vulnerabilities include a recently patched flaw in Google Chrome (CVE-2023-7024) and a bug affecting the open-source Perl library Spreadsheet::ParseExcel (CVE-2023-7101).
2. The CVE-2023-7101 vulnerability in Spreadsheet::ParseExcel is a remote code execution vulnerability affecting versions 0.65 and older of the library. It was exploited by Chinese hackers targeting Barracuda ESG Email Security Gateway, and a security update addressing this vulnerability was made available on December 29, 2023, with Spreadsheet::ParseExcel version 0.66.
3. The CVE-2023-7024 vulnerability is a heap buffer overflow issue in WebRTC in Google Chrome. Google released an emergency update on December 20, 2023, to fix this vulnerability.
4. CISA’s Known Exploited Vulnerabilities (KEV) catalog is a valuable resource for organizations globally for vulnerability management and prioritization.
These takeaways highlight the specific vulnerabilities, the affected products, the exploitation incidents, and the actions taken to address the vulnerabilities. This information can guide decisions related to vulnerability management and risk mitigation within organizations using the affected products.