May 19 — US federal agencies have until Monday to mitigate vulnerabilities associated with five commonly used software products.
Dangerous vulnerabilities identified
“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly. “CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks…”
Easterly continued with, “We also strongly urge every organization -large and small- to follow the federal government’s lead and take similar steps to safeguard their networks.”
New patches to be installed
CISA said that the vulnerabilities were first discovered in April, after which patches were released. However, there are new patches that agencies need to install immediately.
According to CISA, the new cyber exposures are “a server-side template injection that may result in remote code execution; escalate privileges to ‘root’ and obtain administrative access without the need to authenticate.”
Vulnerabilities score 9.8
The vulnerabilities in question are deemed “critical,” and have been issued a severity score of 9.8 out of 10. Although patching can prove time consuming, organizations should take the time to patch the identified vulnerabilities in order to avoid cyber attacks.
More info: CISA’s emergency directives
Since January of 2019, CISA has released 10 emergency directives. This represents the second one of this fiscal year. The first one emerged in December, and urged agencies to patch the Log4j vulnerability.
Across the past few months, CISA has tried to integrate preventative approaches into recommendations, and has shied away from emergency directives. However, in this instance, CISA believes that the threat to agency systems is so serious that it requires urgent action.