cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
raslam
By Level 7 Flexeran
Level 7 Flexeran

Summary

Total advisories:  512  (last month: 689).

December reported fewer advisories than November,

Important conclusions from this month's report are:

  • 86 rejected advisories
  • The Secunia Research Team reported 4 Extremely critical advisories this month (3 last month)
  • 7 Zero-Day Advisory reported (incl. CitrixFortinetMicrosoft Edge, Google Chrome, Windows Server)
  • Over 1,456 CVEs ( last month: 1,620) were covered in the 512 Advisories
  • Threat Intelligence indicates that more Medium and Highly Critical Vulnerabilities are targeted by hackers.
  • More than half of all advisories are disclosed by 4 vendors (SUSE 19%, IBM 16%, Amazon 11%, Ubuntu 9%)
  • NetApp is contributing to 85% of all Networking related Advisories.

Last month we reported that 59.22% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, this month the number has been lower to 64.66%.

Flexera Threat Intelligence is going to help you with prioritizing what needs to be patched immediately.

Software Vulnerability – and Patch Management is becoming more and more important. Due to the ongoing Russia-Ukraine conflict, attacks on critical infrastructures in many countries are increasing. Back in 2019 (just before Covid), patching was recommended within 30 days (or 14 days for a CVSS score of 7 or higher).

Right now, hackers are able to deploy exploits within 1 week and even within 24 hours. This means that organizations need to prioritize even better to quickly patch vulnerabilities (especially the ones with threats associated with them).

Noticeable information this month:

  • Google Chrome continues to disclose zero-day vulnerabilities with #9 (CVE-2022-4262)  this year
  • Fortinet Warns of Active Exploitation of New SSL-VPN Pre-auth RCE Vulnerability (CVE-2022-42475)
  • Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems (CVE-2022-23093)
  • Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability  (CVE-2022-27518)
  • Microsoft addresses two zero days in December ( Edge, Windows Server) reported in 3 SAIDs.
  • Log4Shell: 35% of Log4 downloads continue to be of vulnerable versions of the software.
    the US Department of Homeland Security review board earlier this year concluded that Log4 is an endemic security risk that organizations will need to contend with for years.
  • CISA added 9 vulnerabilities on the KEV (Known Exploited Vulnerabilities)  list . the related December vulns are:
    • CVE-2022-42856, Apple iOS/Safari,macOS, WebkitGTK, Debian for wpewebkit, SUSE for webkitgtk3
    • CVE-2022-4262, Google Chromium, Microsoft Edge, Debian update for Chromium
    • CVE-2022-42475, FortiOS
    • CVE-2022-27518, Citrix