According to Risk Based Security, a Flashpoint company, 1,701 new vulnerabilities were disclosed last month, with 22 percent (382) of them missed by CVE/NVD. Here are some things you should know about the full vulnerability picture.
Apple zero-days are still at large
Among the vulnerabilities missed by MITRE and NIST are CVE-2022-22674 and CVE-2022-22675, two Apple zero-days affecting MacOS. Disclosed at the end of March, these two vulnerabilities have gotten significant media attention and were swiftly added to CISA’s Known Exploited Vulnerabilities Catalog a few days after.
Apple has provided patches for these issues, but at time of this publishing, CVE still lists both of these issues as RESERVED. And because NVD is dependent on CVE, organizations strictly relying on these sources will be unaware of them.
However, federal agencies and private sector organizations seeking to comply with BOD 22-01, or CISA’s Shields Up, will be required to patch these zero-days by April 25. In order to meet this deadline, organizations will need comprehensive vulnerability intelligence.
Open Source Software (OSS) vulnerabilities are more common than you think
On March 29, a new vulnerability affecting Spring Framework was disclosed, dubbed SpringShell, with some claiming that it would rival Log4Shell in impact and scope. Thankfully, this was not the case.
Organizations need to be aware that vulnerabilities affecting OSS do exist and are disclosed quite often. In March, Debian Linux had the largest collection of issues, with each varying in severity and exploitability.
Since products often bundle hundreds of third-party libraries, security teams may have a difficult time gauging the risk that these issues pose. The best way to understand these attack vectors is to create a Software Bill of Materials (SBOM) which will help organizations know which OSS libraries are being used in specific products.
Make prioritization easier by focusing on actionable severity
It is a difficult task having to triage and remediate 1,701 vulnerabilities in just a month. Where should organizations start? To make prioritization efficient, while also ensuring that the organization is best protected, security teams should first focus on vulnerabilities that are remotely exploitable that have public exploits with documented solutions.
Having a comprehensive source of vulnerability intelligence is essential. Sign up for a free trial to gain visibility into the vulnerabilities that CVE/NVD misses, while also having the details needed to make vulnerability management timely and efficient.