Three New Vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog

CVE-2022-35914

CISA, the United States Cybersecurity and Infrastructure Security Agency, has recently added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities, which are currently being actively exploited by malicious cyber actors, pose significant risks to the federal enterprise.

The first vulnerability, CVE-2022-28810, refers to a security flaw in ManageEngine ADSelfService Plus that allows a remote authenticated attacker to execute arbitrary commands on the system. This occurs when post-action custom scripts are enabled, and a specially-crafted request is sent during password reset or change. This vulnerability could be exploited by an attacker to execute arbitrary commands on the system.

The second vulnerability, CVE-2022-33891, affects Apache Spark, a popular open-source analytics engine for big data processing. The vulnerability allows an attacker to perform impersonation by providing an arbitrary user name, ultimately resulting in arbitrary shell command execution as the user Spark is currently running as. This vulnerability affects multiple versions of Apache Spark, including 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

The third vulnerability, CVE-2022-35914, affects Teclib GLPI, a free and open-source asset management and ticketing system. The vulnerability allows a remote attacker to execute arbitrary PHP code on the system, caused by a flaw in the /vendor/htmlawed/htmlawed/htmLawedTest.php script in the htmlawed module. This vulnerability could be exploited by an attacker to execute arbitrary PHP code on the system.

As these vulnerabilities are actively being exploited by malicious cyber actors, it is crucial for organizations to take action to protect their systems. This includes promptly patching vulnerabilities and disabling any unnecessary features or services that could potentially expose the system to attack.

In light of in-the-wild exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by March 28, 2023, to secure networks against potential threats.