Security teams are so inundated with managing vulnerabilities that it’s no longer possible to patch everything. In the era of the skills gap, understaffed security teams really have to prioritize the patches that make sense for their organization.
In that spirit, Rezilion posted a June 8 blog that detailed the top six or seven vulnerabilities of the first half of 2023. What came out of the research was that it’s difficult to pinpoint which vulnerability to focus on first — much depends on the type of business, technology organization, and what the staff uses the applications for. But as a general rule, Rezilion said security teams should focus on the recent Apache Superset, Papercut, MOVEit, and ChatGPT vulnerabilities.
Yotam Perkal, director of vulnerability research at Rezillion, explained that along with ongoing staffing issues, security teams must prioritize which patches to focus on because of the more than 20,000 vulnerabilities reported each year; under 5% are actually exploited in the wild.
“And sometimes vulnerabilities get a lot of attention at first and a really high severity score, but then people recognize later they are not as severe,” Perkal said. “Security teams need to look at processes and sources of information that will help them better prioritize and gain context about the vulnerability.”
Here are the vulnerabilities Rezilion identified:
- JsonWebToken (CVE-2022-23529).
- ChatGPT (CVE-2023-28858).
- Apache Superset (CVE-2023-27524).
- PaperCut NG/MF (CVE-2023-27350).
- Fortinet FortiOS (CVE-2022-41328).
- Adobe ColdFusion (CVE-2023-26360).
- MOVEit vulnerability (CVE-2023-34362).
Perkal said one good example of a vulnerability that was not as severe as initially believed was the JsonWebToken vulnerability, which was first rated with a high CVSS score of 9.8. However, after a detailed examination by security researchers, the severity of this vulnerability was reassessed and ultimately retracted. Perkal said this underscores the importance of rigorous analysis and robust community feedback to ensure accurate assessments and mitigations.
In terms of the vulnerability that was most widespread across many organizations, Perkal said security teams should look to patch the PaperCut vulnerability because just about every type of organizations manages print servers.
Set up proper security controls for ChatGPT
While the ChatGPT vulnerability only had a CVSS score of 3.7, Perkal said security teams should also focus on that one because organizations are only just beginning with ChatGPT and most have not set up proper security controls. Perkal said that with ChatGPT, security teams have to focus on the controls and processes they are setting up around this new technology.
“People don’t want to miss the train and they are rushing to integrate it into their organizations,” Perkal said. “But it’s new, and not yet mature, especially the ecosystem around it, all the open source apps based on it, and plug-ins around it are really new. So people need to be mindful of that and don’t rush to integrate into your software development lifecycle. They need to double-check before they trust such applications."
It’s always challenging to come up with a list of the "most significant" vulnerabilities, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said researchers don't always agree on how these bugs should get rated outside the designated CVSS scores, which adds to the difficulty. For example, how do we weigh the relative severity of the exploit versus the number of targets? Is a massive breach against a handful of targets more significant than a minor inconvenience that effects tens of thousands?
“With this particular list, the question of ‘whether you should focus on it’ depends entirely on whether you're a potential target,” said Parkin. “For example, if you use one of the vulnerable Fortinet devices, you need to patch yesterday. But if you don't have any of that kit in your environment, the advisory is irrelevant. The bottom line is that if a CVE applies in your environment, you need to address it. And, if the CVE has exploits in the wild, you need to address it now.”
Callie Guenther, cyber threat research senior manager at Critical Start, said although the CVSS score for the ChatGPT vulnerability was relatively low, it gained attention because of the increasing reliance on AI services across industries.
“Security teams should give it attention, as even low-severity vulnerabilities in critical services can have significant consequences,” Guenther said. “Mitigating this vulnerability should involve ensuring that the ChatGPT service is properly secured and following best practices for securing AI systems.”
Guenther also said security teams should focus on addressing the Apache Superset vulnerability promptly because Apache Superset is widely used for data visualization and analytics. The Apache Superset vulnerability — caused by the default SECRET_KEY configuration — highlights the importance of using unique, secure keys for safe application access.
“Patching the vulnerability or reconfiguring the SECRET_KEY should be a priority,” said Guenther.