Tripwire's March 2022 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft, Google Chrome, and Spring Framework.
First on the patch priority list this month is a remote code execution vulnerability in the Spring Framework (CVE-2022-22965). This vulnerability has been added to the Metasploit Exploit Framework and any vulnerable systems should be patched as soon as possible. See the following link for more details: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Next is a patch for Google Chrome that resolves a use after free vulnerability. This vulnerability has been targeted by two threat groups referred to as Operation AppleJeus and Operation Dream Job who are using exploit kits to target this vulnerability. Vulnerable systems should be patched as soon as possible. More details can be found at the following link: https://blog.google/threat-analysis-group/countering-threats-north-korea/
Up next are patches for Microsoft Word and Visio. These patches resolve 5 vulnerabilities including tampering, security feature bypass, and remote code execution vulnerabilities.
Up next are patches for Microsoft Edge (Chromium-base) that resolve over 21 vulnerabilities such as user after free, type confusion, heap buffer overflow, tampering, and elevation of privilege vulnerabilities.
Following Edge are patches that affect components of the Windows operating systems. These patches resolve over 25 vulnerabilities, including elevation of privilege, information disclosure, security feature bypass, remote code execution, and denial of service vulnerabilities. These vulnerabilities affect core Windows, Kernel, DWM Core Library, Windows Defender, Fast FAT File System Driver, Media Center, Windows Installer, SMBv3, Remote Desktop, and others.
Up next are patches for Windows Codec Library (HEIF Image Extensions, HEIF Video Extensions, Media Foundation, Raw Image Extension, VP9 Video Extensions) and Paint 3D. These patches resolve 14 vulnerabilities including remote code execution and information disclosure.
Next are patches for the .NET, Visual Studio, and Visual Studio Code that resolve denial of service, remote code execution, buffer overflow, and spoofing vulnerabilities.
Lastly, administrators should focus on server-side patches for Hyper-V and Exchange Server. These patches resolve remote code execution, spoofing, and denial of service vulnerabilities.
| BULLETIN | CVE |
|---|---|
| Exploit Framework - Metasploit | CVE-2022-22965 |
| Google Chrome | CVE-2022-0609 |
| Microsoft Office Word | CVE-2022-24511, CVE-2022-24462 |
| Microsoft Office Visio | CVE-2022-24510, CVE-2022-24509, CVE-2022-24461 |
| Microsoft Edge (Chromium-based) | CVE-2022-0789, CVE-2022-0790, CVE-2022-0791, CVE-2022-0792, CVE-2022-0793, CVE-2022-0794, CVE-2022-0795, CVE-2022-0796, CVE-2022-0797, CVE-2022-0798, CVE-2022-0799, CVE-2022-0800, CVE-2022-0801, CVE-2022-0802, CVE-2022-0803, CVE-2022-0804, CVE-2022-0805, CVE-2022-0806, CVE-2022-0807, CVE-2022-0808, CVE-2022-0809 |
| Microsoft Windows | CVE-2022-23293, CVE-2022-24460, CVE-2022-21973, CVE-2022-23296, CVE-2022-23281, CVE-2022-23290, CVE-2022-24454, CVE-2022-24507, CVE-2022-23294, CVE-2022-24508, CVE-2022-23297, CVE-2022-23298, CVE-2022-23291, CVE-2022-23288, CVE-2022-23253, CVE-2022-23285, CVE-2022-21990, CVE-2022-24503, CVE-2022-24455, CVE-2022-24525, CVE-2022-23284, CVE-2022-23299, CVE-2022-24502, CVE-2022-24505, CVE-2022-23283, CVE-2022-23287, CVE-2022-23286, CVE-2022-24459, CVE-2022-23278 |
| Microsoft Windows Codecs Library | CVE-2022-24457, CVE-2022-22006, CVE-2022-22007, CVE-2022-23301, CVE-2022-24456, CVE-2022-24453, CVE-2022-24452, CVE-2022-22010, CVE-2022-21977, CVE-2022-23300, CVE-2022-23295, CVE-2022-24451, CVE-2022-24501 |
| Paint 3D | CVE-2022-23282 |
| NET, Visual Studio, Visual Studio Code | CVE-2022-24464, CVE-2022-24512, CVE-2020-8927, CVE-2022-24526 |
| Microsoft Exchange Server | CVE-2022-23277, CVE-2022-24463 |
| Role: Windows Hyper-V | CVE-2022-21975 |
