Search This Blog

Powered by Blogger.

Blog Archive

Labels

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

CISA adds server flaws in Atlassian’s Bitbucket Server and two Microsoft Exchange zero-days to its Known Exploited Vulnerabilities Catalog list.

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”
Share it:

Atlassian

CISA

Critical Flaw

Exploits

Flaws

Microsoft Exchange

Microsoft Exchange Server

Vulnerabilities and Exploits

Zero Day