Microsoft Patches 2 0-Days & 47 RCE Vulnerabilities, Google Patches 5 Chrome RCEs, Apache Patches RCE in ‘Struts 2’

April 14, 2022

Microsoft Patches 2 0-Days & 47 RCE Vulnerabilities, Google Patches 5 Chrome RCEs, Apache Patches RCE in ‘Struts 2’

Microsoft Patches 2 0-Days & 47 RCE Vulnerabilities

As part of April’s monthly security rollup updates, Microsoft has patched 20-Day and 47 Remote Code Execution vulnerabilities. 

Overall, Microsoft has patched 119 vulnerabilities across Windows, Windows Server, Hyper-V, Azure, Office and others. 

The Zero-Day Vulnerabilities

  • CVE-2022-26904 (CVSS 3.1: 7.0, High Severity) – Windows User Profile Service Elevation of Privilege Vulnerability. 
  • CVE-2022-24521 (CVSS 3.1: 7.8, High Severity) – Windows Common Log File System Driver Elevation of Privilege Vulnerability 

For the full patched vulnerabilities list, including the 47 RCEs, visit Microsoft April 2022 Security Updates. 

Mitigation

CYREBRO recommends implementing the latest available Microsoft security/monthly rollup updates in all relevant systems as soon as possible. 

References: Microsoft February 2022 Security Updates. 

 

Google Patches 5 RCEs in Chrome

Google has updated Chrome, patching 5 remote code execution vulnerabilities and 11 vulnerabilities overall. 

The updated version is 100.0.4896.88 for Windows, Mac and Linux. 

The RCE Vulnerabilities

  • CVE-2022-1305, High Severity – Use after free in storage. 
  • CVE-2022-1308, High Severity – Use after free in ‘BFCache’. 
  • CVE-2022-1310, High Severity – Use after free in regular expressions. 
  • CVE-2022-1311, High Severity – Use after free in Chrome OS shell. 
  • CVE-2022-1312, High Severity – Use after free in storage. 

Exploiting any of these vulnerabilities may lead to remote code execution on the target system. 

Affected Products

  • Chrome for Windows, Mac and Linux prior to version 100.0.4896.88. 

Mitigation

CYREBRO recommends updating your browser to the latest Chrome version, 100.0.4896.88 for Windows, Mac and Linux. 

References: Google Advisory. 

 

Apache Patches RCE in Struts 2

Apache has patched a remote code execution vulnerability in Struts 2. 

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. 

The Vulnerability

  • CVE-2021-31805 (CVSS 3.1: 8.5, High Severity) – Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to remote code execution. 

Affected Products

  • Apache Struts 2.0.0 – 2.5.29 (patched in 2.5.30). 

Mitigation

CYREBRO recommends that those who are using Struts 2, upgrade to Struts 2.5.30 or greater version.  

Workaround

If mitigation currently cannot be applied, do not use forced OGNL evaluation in the tag’s attributes based on untrusted/unvalidated user input. 

References: Apache Advisory 

Sign Up for Updates