Tripwire's April 2022 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft, Google Chrome, Oracle, and Adobe.
First on the patch priority list this month is an elevation of privilege vulnerability in the Microsoft Windows User Profile Service. This vulnerability has been added to the Metasploit Exploit Framework and any vulnerable systems should be patched as soon as possible.
Next are patches for Microsoft Edge and Google Chromium. These patches resolve over 25 vulnerabilities including one zero-day vulnerability (CVE-2022-1364). The patches fix issues such as use after free, elevation of privilege, type confusion, and spoofing vulnerabilities.
Up next are patches for Microsoft Excel. These patches resolve 2 remote code execution vulnerabilities.
Following Excel are patches for Oracle Java from the Oracle April Critical Patch Update that resolve 6 Java SE vulnerabilities.
Next are patches for Adobe Reader and Acrobat. These patches resolve over 60 vulnerabilities including Use after free, out of bounds write, stack-based buffer overflow, access of uninitialized pointer, out of bounds read, and heap-based buffer overflow vulnerabilities.
Up next are patches that affect components of the Windows operating systems. These patches resolve over 65 vulnerabilities, including elevation of privilege, information disclosure, security feature bypass, remote code execution, and denial of service vulnerabilities. These vulnerabilities affect core Windows, Kernel, DWM Core Library, Windows Defender, Media Center, Windows Installer, SMB, Print Spooler, LSA, Remote Desktop, and others.
Next are patches for the .NET, Visual Studio, and Visual Studio Code that resolve denial of service and elevation of privilege vulnerabilities.
Lastly, administrators should focus on server-side patches for Hyper-V, Skype for Business, LDAP, DNS Server, Windows Cluster Shared Volume (CSV), Power BI, Windows Endpoint Configuration Manager, Dynamics, SharePoint, and Active Directory Domain Services. These patches resolve remote code execution, spoofing, elevation of privilege, and denial of service vulnerabilities.
| BULLETIN | CVE |
|---|---|
| Exploit Framework - Metasploit | CVE-2022-26904 |
| Microsoft Edge (Chromium-based) and Google Chromium | CVE-2022-1364, CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1133, CVE-2022-1134, CVE-2022-1135, CVE-2022-1136, CVE-2022-1137, CVE-2022-1138, CVE-2022-1139, CVE-2022-1143, CVE-2022-1145, CVE-2022-1146, CVE-2022-1232, CVE-2022-26895,CVE-2022-26894,CVE-2022-26891,CVE-2022-24475,CVE-2022-26912,CVE-2022-26900,CVE-2022-26909,CVE-2022-26908,CVE-2022-24523 |
| Microsoft Office Excel | CVE-2022-24473, CVE-2022-26901 |
| Oracle Java | CVE-2022-21443, CVE-2022-21434, CVE-2022-21426, CVE-2022-21449, CVE-2022-21476, CVE-2022-21496 |
| APSB22-16: Adobe Reader and Acrobat I | CVE-2022-24101, CVE-2022-24103, CVE-2022-24104, CVE-2022-27785, CVE-2022-24102, CVE-2022-27786, CVE-2022-27787, CVE-2022-27788, CVE-2022-27789, CVE-2022-27790, CVE-2022-27791, CVE-2022-27792, CVE-2022-27793, CVE-2022-27794, CVE-2022-27795, CVE-2022-27796, CVE-2022-27797, CVE-2022-27798, CVE-2022-27799, CVE-2022-27800, CVE-2022-27801, CVE-2022-27802, CVE-2022-28230, CVE-2022-28231, CVE-2022-28232, CVE-2022-28233, CVE-2022-28234, CVE-2022-28235, CVE-2022-28236, CVE-2022-28237 |
| APSB22-16: Adobe Reader and Acrobat II | CVE-2022-28238, CVE-2022-28239, CVE-2022-28240, CVE-2022-28241, CVE-2022-28242, CVE-2022-28243, CVE-2022-28244, CVE-2022-28245, CVE-2022-28246, CVE-2022-28247, CVE-2022-28248, CVE-2022-28249, CVE-2022-28250, CVE-2022-28251, CVE-2022-28252, CVE-2022-28253, CVE-2022-28254, CVE-2022-28255, CVE-2022-28256, CVE-2022-28257, CVE-2022-28258, CVE-2022-28259, CVE-2022-28260, CVE-2022-28261, CVE-2022-28262, CVE-2022-28263, CVE-2022-28264, CVE-2022-28265, CVE-2022-28266, CVE-2022-28267, CVE-2022-28268, CVE-2022-28269 |
| Windows I | CVE-2022-26808, CVE-2022-24543, CVE-2022-26807, CVE-2022-26918, CVE-2022-26916, CVE-2022-26917, CVE-2022-24498, CVE-2022-24493, CVE-2022-24499, CVE-2022-24530, CVE-2022-26920, CVE-2022-26903, CVE-2022-24492, CVE-2022-24528, CVE-2022-26809, CVE-2022-24495, CVE-2022-26915, CVE-2022-24532, CVE-2022-24489, CVE-2022-24496, CVE-2022-24487, CVE-2022-26788, CVE-2022-24494, CVE-2022-24483, CVE-2022-26828, CVE-2022-24550, CVE-2022-24533, CVE-2022-24546, CVE-2022-24548, CVE-2022-24479, CVE-2022-26810, CVE-2022-26827, CVE-2022-24491 |
| Windows II | CVE-2022-24497, CVE-2022-24482, CVE-2022-24540, CVE-2022-24521, CVE-2022-24481, CVE-2022-26830, CVE-2022-24485, CVE-2022-21983, CVE-2022-24534, CVE-2022-24500, CVE-2022-24541, CVE-2022-24488, CVE-2022-24547, CVE-2022-26914, CVE-2022-24474, CVE-2022-24542, CVE-2022-24549, CVE-2022-24486, CVE-2022-24544, CVE-2022-24545, CVE-2022-26787, CVE-2022-26786, CVE-2022-26789, CVE-2022-26802, CVE-2022-26790, CVE-2022-26803, CVE-2022-26801, CVE-2022-26792, CVE-2022-26793, CVE-2022-26791, CVE-2022-26796, CVE-2022-26797, CVE-2022-26794, CVE-2022-26795, CVE-2022-26798 |
| .NET Framework | CVE-2022-26832 |
| Visual Studio and Visual Studio Code | CVE-2022-24767, CVE-2022-24765, CVE-2022-24513, CVE-2022-26921 |
| Skype for Business | CVE-2022-26911, CVE-2022-26910 |
| Role: Windows Hyper-V | CVE-2022-23268, CVE-2022-22008, CVE-2022-22009, CVE-2022-23257, CVE-2022-24537, CVE-2022-26783, CVE-2022-26785, CVE-2022-24539, CVE-2022-24490 |
| LDAP - Lightweight Directory Access Protocol | CVE-2022-26831, CVE-2022-26919 |
| Role: DNS Server | CVE-2022-26816, CVE-2022-26819, CVE-2022-26818, CVE-2022-26815, CVE-2022-26820, CVE-2022-26811, CVE-2022-26813, CVE-2022-26812, CVE-2022-26821, CVE-2022-26822, CVE-2022-26823, CVE-2022-26824, CVE-2022-26825, CVE-2022-26826, CVE-2022-24536, CVE-2022-26829 |
| Windows Cluster Shared Volume (CSV) | CVE-2022-26784, CVE-2022-24538, CVE-2022-24484 |
| Power BI | CVE-2022-23292 |
| Windows Endpoint Configuration Manager | CVE-2022-24527 |
| Microsoft Dynamics | CVE-2022-23259 |
| Microsoft Office SharePoint | CVE-2022-24472 |
| Active Directory Domain Services | CVE-2022-26814, CVE-2022-26817 |
