The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies about an actively exploited zero-day vulnerability in Google Chrome.
The high-severity security hole, identified as CVE-2022-1096, was discovered in Chrome’s V8 JavaScript engine and affects all Chromium-based browsers.
On Friday, Google released an emergency fix for this bug, and Microsoft followed suit the next day by updating its Chromium-based Edge browser.
The zero-day vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog, along with 31 other bugs, including a high-severity Redis Server flaw that is now being exploited in botnet attacks.
The vulnerability, tracked as CVE-2022-0543, is described as a Redis Lua sandbox escape and remote code execution vulnerability that exists because the Lua library is delivered as a dynamic library in some Debian/Ubuntu packages.
According to Juniper researchers, the Muhstik malware has been exploiting the vulnerability in attacks since March 11. Previously, the botnet’s operators were observed exploiting vulnerabilities in Confluence server, Log4j, and Oracle WebLogic.
While several of the other vulnerabilities that CISA has recently added to its Must Patch list were fixed in 2021, the rest are older bugs, some of which were fixed over a decade ago.
CISA has given federal agencies three weeks (until April 18) to patch these vulnerabilities. However, the agency previously told SecurityWeek that those who fail to meet the deadlines are not penalised. Instead, CISA assists organisations that are unable to meet the deadlines.
The Known Exploited Vulnerabilities Catalog is intended primarily for federal agencies, but organisations of all sizes are encouraged to use it to improve patching operations.
