January, 2022: Patch Tuesday: 6 Public Vulnerabilities, 1 Being Exploited

Welcome to my January Patch Tuesday newsletter.   Starting 2022 we have 6 vulnerabilities that are public.  Of the six, CVE-2021-44228 is not only public but is also being exploited.  You may be more familiar with it's newsworthy name, Log4j.  This flaw allows a remote code execution that is allowing hackers to attack vulnerable applications.  According to Microsoft, they have "not identified any exploitation of our enterprise services as a result of the Log4j vulnerability at this time."  Despite this, Microsoft has published a blog on preventing, detecting and hunting for Log4j on your systems.  So we recommend you definitely test and install this months updates ASAP.  It's important to get this month's patches in place as well because there are 18 either released or updated CVE's that Microsoft's "Exploitability Assessment" is set to "Exploitation More Likely".  Happy updating!

Patch data provided by:

 LOGbinder.com

Technology

Products Affected

Severity

Reference

Workaround/ Exploited / Publicly Disclosed

Vulnerability Info

Windows

Windows 7, 8.1, RT 8.1, 10, 11

Server 2008, 2008R2, 2012, 2012 R2, 2016, 2019, 2022 including Server Core Installations

HEVC Video Extensions

Remote Desktop Client

Critical

CVE-2021-22947
CVE-2021-36976*
CVE-2022-21833
CVE-2022-21834
CVE-2022-21835
CVE-2022-21836*
CVE-2022-21838
CVE-2022-21839*
CVE-2022-21843
CVE-2022-21847
CVE-2022-21848
CVE-2022-21849
CVE-2022-21850
CVE-2022-21851
CVE-2022-21852
CVE-2022-21857
CVE-2022-21858
CVE-2022-21859
CVE-2022-21860
CVE-2022-21861
CVE-2022-21862
CVE-2022-21863
CVE-2022-21864
CVE-2022-21865
CVE-2022-21866
CVE-2022-21867
CVE-2022-21868
CVE-2022-21869
CVE-2022-21870
CVE-2022-21871
CVE-2022-21872
CVE-2022-21873
CVE-2022-21874*
CVE-2022-21875
CVE-2022-21876
CVE-2022-21877
CVE-2022-21878
CVE-2022-21879
CVE-2022-21880
CVE-2022-21881
CVE-2022-21882
CVE-2022-21883
CVE-2022-21884
CVE-2022-21885
CVE-2022-21887
CVE-2022-21888
CVE-2022-21889
CVE-2022-21890
CVE-2022-21892
CVE-2022-21893
CVE-2022-21894
CVE-2022-21895
CVE-2022-21896
CVE-2022-21897
CVE-2022-21898
CVE-2022-21899
CVE-2022-21900
CVE-2022-21901
CVE-2022-21902
CVE-2022-21903
CVE-2022-21904
CVE-2022-21905
CVE-2022-21906
CVE-2022-21907
CVE-2022-21908
CVE-2022-21910
CVE-2022-21912
CVE-2022-21913
CVE-2022-21914
CVE-2022-21915
CVE-2022-21916
CVE-2022-21917
CVE-2022-21918
CVE-2022-21919*
CVE-2022-21920
CVE-2022-21921
CVE-2022-21922
CVE-2022-21924
CVE-2022-21925
CVE-2022-21928
CVE-2022-21958
CVE-2022-21959
CVE-2022-21960
CVE-2022-21961
CVE-2022-21962
CVE-2022-21963
CVE-2022-21964

Workaround: No
Exploited: No
Public: Yes*

Denial of Service

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Spoofing

Edge

Chromium-based

Important

CVE-2022-0096
CVE-2022-0097
CVE-2022-0098
CVE-2022-0099
CVE-2022-0100
CVE-2022-0101
CVE-2022-0102
CVE-2022-0103
CVE-2022-0104
CVE-2022-0105
CVE-2022-0106
CVE-2022-0107
CVE-2022-0108
CVE-2022-0109
CVE-2022-0110
CVE-2022-0111
CVE-2022-0112
CVE-2022-0113
CVE-2022-0114
CVE-2022-0115
CVE-2022-0116
CVE-2022-0117
CVE-2022-0118
CVE-2022-0120
CVE-2022-21929
CVE-2022-21930
CVE-2022-21931
CVE-2022-21954
CVE-2022-21970

Workaround: No
Exploited: No
Public: No

Elevation of Privilege

Remote Code Execution

.NET Framework

2.0SP2, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Important

CVE-2022-21911

Workaround: No
Exploited: No
Public: No

Denial of Service

Azure

DevOps, DevOps Server, Team Foundation Server

Critical

CVE-2021-44228*

Workaround: No
Exploited: Yes
Public: Yes*

Remote Code Execution

Office

365 Apps for Enterprise

Excel 2013 RT SP1, 2013 SP1, 2016

Word 2016

Office 2013 RT SP1, 2013 SP1, 2016, 2019, 2019 for Mac, Online Server, Web Apps Server 2013 SP1

SharePoint Enterprise 2013 SP1, 2016, Server 2019, Foundation 2013 SP1, Subscription Edition, Server Subscription Edition Language Pack

LTSC 2021, LTSC for Mac 2021

Critical

 

CVE-2022-21837
CVE-2022-21840
CVE-2022-21841
CVE-2022-21842

Workaround: No
Exploited: No
Public: No

 

Remote Code Execution

 

Azure

Insights Java SDK

Data Lake Store Java Tool, Client SDK

Spring Cloud

VMware Solution

Databricks

Arc-enabled Data Services

Minecraft Java Edition

Events Hub Extension

Cosmos DB Kafka Connector

Critical

 

CVE-2021-44228*

Workaround: No
Exploited: Yes
Public: Yes*

 

Remote Code Execution

 

Exchange Server

2013 CU23

2016 CU21 & CU22

2019 CU10 & CU11

Critical

CVE-2022-21846
CVE-2022-21855

Workaround: No
Exploited: No
Public: No

 

Remote Code Execution

 

System Center

Defender for IoT

Critical

CVE-2021-44228*

Workaround: No
Exploited: Yes
Public: Yes*

Remote Code Execution

SQL Server

2019 Big Data Clusters

Critical

CVE-2021-44228*

Workaround: No
Exploited: Yes
Public: Yes*

Remote Code Execution

Dynamics 365 Customer Engagement

9.0, 9.1

Important

CVE-2022-21932

Workaround: No
Exploited: No
Public: No

Spoofing