Report Surfaces Top Vulnerabilities of 2022
Rezilion, a vulnerability management platform provider, shared a list of the top vulnerabilities discovered in 2022. The report suggested that organizations should address these before the start of the New Year if they have not already done so. Those vulnerabilities include:
Pwnkit–CVE-2021-4034, a privilege escalation vulnerability in the pkexec file of the Linux Policykit package.
Dirty Pipe–CVE-2022-0847, a serious privilege escalation vulnerability that utilizes the PIPE mechanism in Linux to write to a privileged existing page cache.
Spring4Shell–CVE-2022-22965, a zero-day remote code execution (RCE) vulnerability caused by an error in the mechanism that uses client-provided data to update the properties of an object in the Spring MVC or Spring WebFlux application.
NimbusPWN—CVE-2022-29799 (path traversal) and CVE-2022-29800, a pair of vulnerabilities that can be chained together to escalate privileges by using a flow in the networkd-dispatcher in the Linux kernel.
Dirty Cred—Two CVEs: CVE-2021-4154 and CVE-2022-2588, a set of local privilege escalation vulnerabilities that are capable of bypassing kernel credential permission checks.
ProxyNotShell—CVE-2022–41040 and CVE-2022–41082, a pair of RCE vulnerabilities that target Microsoft Exchange servers.
Text4Shell or ACT4Shell—CVE-2022-42889, a critical remote code execution (RCE) vulnerability that abuses the Apache Commons Text interpolation functionality in String Substitution.
Spooky SSL—CVE-2022-3603 and CVE-2022-3786, a pair of vulnerabilities that could enable RCE under certain circumstances.
Ofri Ouzan, a security researcher for Rezilion, said that while each of these vulnerabilities might impact organizations differently, the pace at which they are discovered is only going to accelerate as more research is conducted. Organizations should also assume that more zero-day vulnerabilities will be discovered in 2023, she added.
In the wake of the disclosure of the Spring4Shell vulnerability at the end of 2021, awareness of the potential impact of vulnerabilities has certainly risen. While that vulnerability may not have been as lethal as first predicted, more organizations have revisited their incident response capabilities once they realized how dependent they are on third-party software components to build applications. In fact, there is plenty of room for improvement in most organizations, noted Ouzan.
Ideally, IT teams and cybersecurity professionals should apply DevOps best practices to incident management processes that focus on symptoms indicative of a brewing service disruption. The overall goal is to remediate issues long before an actual problem occurs. Automatically applying application patches should be part of that effort. Arguably, the more organizations become accustomed to responding to a sudden incident, the more routine the whole process becomes. The muscle memory the organization eventually develops also allows it to become more resilient in a way that reduces overall stress levels. That approach provides the added benefit of reducing the level of burnout that members of the IT incident management team are likely to experience which, in turn, reduces turnover rates.
From a cybersecurity perspective, it’s hard to predict what 2023 will bring, but as IT environments become more complex and volume increases, the longer it will take resolve issues.
