According to Google and their advisory published Friday, the Google Chrome zero-day tracked as CVE-2022-1096 is a high severity type confusion weakness in the Chrome V8 JavaScript engine that could allow threat actors to execute code on targeted devices. CISA has given Federal Civilian Executive Branch Agencies (FCEB) until April 10th to patch this vulnerability, along with the Redis Luna Sandbox escape vulnerability (CVE-2022-0543) which was publicly released on March 10th. Issued in November, the Binding Operational Directive (BOD 22-01) requires that all FCEB agencies secure their systems against these vulnerabilities.
Analyst Notes
Although BOD 22-01 only applies to FCEB agencies, it is recommended that all private companies do the same to better protect themselves and reduce exposure to ongoing cyber-attacks. CISA has added hundreds of security flaws to their active exploitation catalog in recent weeks. Companies should be actively monitoring new vulnerabilities that are being added to the catalog and updating systems when necessary to avoid being a target of a cyber-attack.
https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-to-patch-actively-exploited-chrome-redis-bugs/
