CISA Tells Organizations to Patch CVEs Dating Back to 2014
The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.
The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.
The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).
Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.
These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).
Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).
The final CVE on the new list is