Let’s wrap up 2021 with one more look at vulnerabilities for the month of December. Microsoft didn’t hold back, releasing 67 vulnerability patches. Adobe takes second place, patching 60 vulnerabilities across 11 products. Mozilla patched 35 vulnerabilities, one of which is critical. Google rounds it out by patching 5 vulnerabilities this month. But we all know who took the cake – the Log4Shell vulnerability.
Let’s address the one we all know and (don’t really) love – the Log4Shell zero-day. An RCE vulnerability was patched with 2.15.0 on December 6, but a new vulnerability was found in that release. It was originally given a CVSS score of 3.7 and 2.16.0 was delivered. Shortly thereafter, a new bypass was found that allows full RCE in 2.15.0, upping the score to 9.0. Do not remain on 2.15.0, you are not fully protected. Upgrade to 2.16.0 to be fully patched. For more details on this vulnerability, check out our blog.
Even though our focus was mainly on Log4Shell, let’s review what else came out this month.
Microsoft’s 67 patch release included 7 critical CVEs. CVE-2021-43890 (rated High), has been exploited in the wild, making this the only zero-day release from Microsoft this month.
Adobe released 60 vulnerability patches, 28 ranked critical. These patches were across 11 of their products. The highest ranked CVE goes to CVE-2021-40722 / CWE-611 for Adobe Experience Manager with a score of 9.8, allowing arbitrary code execution.
Of the 35, Mozilla patched one critical vulnerability that affected DER-encoded DSA or RSA-PSS signatures. Google patched 5 vulnerabilities: 4 high and 1 critical. The critical vulnerability affected data validation in Mojo. CVE-2021-4102 has been exploited in the wild, so update Chrome to 96.0.4664.110 as soon as possible.
You can find all of the Patch Tuesday updates from Microsoft, Google, and Adobe in our monthly Patch Tuesday Index. In that blog you’ll find the Log4Shell Worklet we’ve written.
That’s a wrap for 2021 - we’ll see you in the new year!
‘Til next time!