Last updated at Tue, 11 Jan 2022 21:41:56 GMT
The first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.
The majority of this month’s patched vulnerabilities, such as CVE-2022-21857 (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in.
Critical RCEs
Besides CVE-2021-22947 (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is CVE-2021-21907, affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially “wormable” by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for CVE-2021-31166).
Not quite as bad is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website – thankfully the Windows preview pane is not a vector for this attack.
CVE-2022-21846 affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be “adjacent” to the target system in terms of network topology). This restriction also applies to CVE-2022-21855 and CVE-2022-21969, two less severe RCEs in Exchange this month.
CVE-2022-21912 and CVE-2022-21898 both affect DirectX Graphics and require local access. CVE-2022-21917 is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.
Defenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.
Summary charts
Summary tables
Browser vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21930 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes |
| CVE-2022-21931 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes |
| CVE-2022-21929 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 2.5 | Yes |
| CVE-2022-21954 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes |
| CVE-2022-21970 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes |
| CVE-2022-0120 | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | No | No | nan | Yes |
| CVE-2022-0118 | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | No | No | nan | Yes |
| CVE-2022-0117 | Chromium: CVE-2022-0117 Policy bypass in Service Workers | No | No | nan | Yes |
| CVE-2022-0116 | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | No | No | nan | Yes |
| CVE-2022-0115 | Chromium: CVE-2022-0115 Uninitialized Use in File API | No | No | nan | Yes |
| CVE-2022-0114 | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | No | No | nan | Yes |
| CVE-2022-0113 | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | No | No | nan | Yes |
| CVE-2022-0112 | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | No | No | nan | Yes |
| CVE-2022-0111 | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | No | No | nan | Yes |
| CVE-2022-0110 | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | No | No | nan | Yes |
| CVE-2022-0109 | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | No | No | nan | Yes |
| CVE-2022-0108 | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | No | No | nan | Yes |
| CVE-2022-0107 | Chromium: CVE-2022-0107 Use after free in File Manager API | No | No | nan | Yes |
| CVE-2022-0106 | Chromium: CVE-2022-0106 Use after free in Autofill | No | No | nan | Yes |
| CVE-2022-0105 | Chromium: CVE-2022-0105 Use after free in PDF | No | No | nan | Yes |
| CVE-2022-0104 | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | No | No | nan | Yes |
| CVE-2022-0103 | Chromium: CVE-2022-0103 Use after free in SwiftShader | No | No | nan | Yes |
| CVE-2022-0102 | Chromium: CVE-2022-0102 Type Confusion in V8 | No | No | nan | Yes |
| CVE-2022-0101 | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | No | No | nan | Yes |
| CVE-2022-0100 | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | No | No | nan | Yes |
| CVE-2022-0099 | Chromium: CVE-2022-0099 Use after free in Sign-in | No | No | nan | Yes |
| CVE-2022-0098 | Chromium: CVE-2022-0098 Use after free in Screen Capture | No | No | nan | Yes |
| CVE-2022-0097 | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | No | No | nan | Yes |
| CVE-2022-0096 | Chromium: CVE-2022-0096 Use after free in Storage | No | No | nan | Yes |
Developer Tools vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21911 | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No |
ESU Windows vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21924 | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No |
| CVE-2022-21834 | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21919 | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | No |
| CVE-2022-21885 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21914 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21920 | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-21908 | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21843 | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21883 | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21848 | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21889 | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21890 | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21900 | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes |
| CVE-2022-21905 | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes |
| CVE-2022-21880 | Windows GDI+ Information Disclosure Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21915 | Windows GDI+ Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-21904 | Windows GDI Information Disclosure Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21903 | Windows GDI Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21899 | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 5.5 | No |
| CVE-2022-21916 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21897 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21838 | Windows Cleanup Manager Elevation of Privilege Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-21836 | Windows Certificate Spoofing Vulnerability | No | Yes | 7.8 | Yes |
| CVE-2022-21925 | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No |
| CVE-2022-21862 | Windows Application Model Core API Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21859 | Windows Accounts Control Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21833 | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21922 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-21893 | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-21850 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-21851 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-21835 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21884 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21913 | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | No | No | 5.3 | No |
| CVE-2022-21857 | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes |
Exchange Server vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes |
| CVE-2022-21855 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes |
| CVE-2022-21969 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes |
Microsoft Dynamics vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21932 | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | No | No | 7.6 | No |
| CVE-2022-21891 | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | No | No | 7.6 | No |
Microsoft Office vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21842 | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21837 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-21840 | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-21841 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
Windows vulnerabilities
| CVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ |
|---|---|---|---|---|---|
| CVE-2022-21895 | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21864 | Windows UI Immersive Server API Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21866 | Windows System Launcher Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21875 | Windows Storage Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21863 | Windows StateRepository API Server file Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21874 | Windows Security Center API Remote Code Execution Vulnerability | No | Yes | 7.8 | No |
| CVE-2022-21892 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-21958 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-21959 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-21960 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-21961 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-21962 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-21963 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.4 | Yes |
| CVE-2022-21928 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.3 | Yes |
| CVE-2022-21867 | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21888 | Windows Modern Execution Server Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2022-21881 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21879 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 5.5 | No |
| CVE-2022-21849 | Windows IKE Extension Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2022-21901 | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 9 | Yes |
| CVE-2022-21847 | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | No |
| CVE-2022-21878 | Windows Geolocation Service Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2022-21872 | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21839 | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | No | Yes | 6.1 | No |
| CVE-2022-21868 | Windows Devices Human Interface Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21921 | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 4.4 | No |
| CVE-2022-21906 | Windows Defender Application Control Security Feature Bypass Vulnerability | No | No | 5.5 | No |
| CVE-2022-21852 | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21902 | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21896 | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21858 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21860 | Windows AppContracts API Server Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21876 | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-21882 | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-21887 | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-21873 | Tile Data Repository Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21861 | Task Flow Data Engine Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21870 | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21877 | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-21894 | Secure Boot Security Feature Bypass Vulnerability | No | No | 4.4 | No |
| CVE-2022-21964 | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-22947 | Open Source Curl Remote Code Execution Vulnerability | No | Yes | nan | Yes |
| CVE-2022-21871 | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21910 | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-36976 | Libarchive Remote Code Execution Vulnerability | No | Yes | nan | Yes |
| CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2022-21917 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21912 | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21898 | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2022-21918 | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 6.5 | No |
| CVE-2022-21865 | Connected Devices Platform Service Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2022-21869 | Clipboard User Service Elevation of Privilege Vulnerability | No | No | 7 | No |
