CISA KEV Update Part I – May 2023
The U.S. CISA has added the following three new issues to its Known Exploited Vulnerabilities Catalog
CVE-2023-1389 with CVSS score of 8.8 – TP-Link Archer AX-21 Command Injection Vulnerability. The CVE-2023-1389 flaw is an unauthenticated command injection vulnerability that resides in the locale API of the web management interface of the TP-Link Archer AX21 router. The root cause of the problem is the lack of input sanitization in the locale API that manages the router’s language settings. A remote attacker can trigger the issue to inject commands that should be executed on the device.
CVE-2021-45046 with CVSS score of 9.0 – Apache Log4j2 deserialization of untrusted data vulnerability. Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
CVE-2023-21839 with CVSS score of 7.5 – Oracle WebLogic Server Unspecified Vulnerability. Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server.
CISA orders federal agencies to fix this flaw by May 22, 2023.