CNNVD关于微软多个安全漏洞的预警
CNNVD 2022-03-11
近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞72个,影响到微软产品的其他厂商漏洞2个。包括OpenSSL 缓冲区错误漏洞(CNNVD-202108-1945、CVE-2021-3711)、Microsoft WindowsMedia Foundation权限许可和访问控制问题漏洞(CNNVD-202108-841、CVE-2021-36927)等多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布了漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。
一、 漏洞介绍
2022年3月9日,微软发布了2022年3月份安全更新,共74个漏洞的补丁程序,CNNVD对这些漏洞进行了收录。本次更新主要涵盖了Microsoft Windows 和Windows 组件、Microsoft Skype Extensionfor Chrome、Microsoft Windows CD-ROM Driver、Microsoft HEIF Image Extensions、MicrosoftOffice Visio、Microsoft Windows Fastfat Driver等。CNNVD对其危害等级进行了评价,其中超危漏洞1个,高危漏洞52个,中危漏洞19个,低危漏洞2个。微软多个产品和系统版本受漏洞影响,具体影响范围可访问
https://portal.msrc.microsoft.com/zh-cn/security-guidance查询。
二、漏洞详情
此次更新共包括72个漏洞的补丁程序,其中高危漏洞52个,中危漏洞18个,低危漏洞2个。
|
序号 |
漏洞名称 |
CNNVD编号 |
CVE编号 |
危害等级 |
官方链接 |
|
1 |
Microsoft Windows Media Foundation权限许可和访问控制问题漏洞 |
CNNVD-202108-841 |
CVE-2021-36927 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36927 |
|
2 |
Microsoft Dynamics 代码注入漏洞 |
CNNVD-202202-696 |
CVE-2022-21957 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21957 |
|
3 |
Microsoft XBox 权限许可和访问控制问题漏洞 |
CNNVD-202203-695 |
CVE-2022-21967 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21967 |
|
4 |
Microsoft Remote Desktop Client 代码注入漏洞 |
CNNVD-202203-691 |
CVE-2022-21990 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21990 |
|
5 |
Microsoft HEVC Video Extensions 代码注入漏洞 |
CNNVD-202203-734 |
CVE-2022-22006 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22006 |
|
6 |
Microsoft HEVC Video Extensions 代码注入漏洞 |
CNNVD-202203-732 |
CVE-2022-22007 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22007 |
|
7 |
Microsoft Defender for IoT 代码注入漏洞 |
CNNVD-202203-751 |
CVE-2022-23265 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23265 |
|
8 |
Microsoft Defender 权限许可和访问控制问题漏洞 |
CNNVD-202203-753 |
CVE-2022-23266 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23266 |
|
9 |
Microsoft Exchange Server 代码注入漏洞 |
CNNVD-202203-708 |
CVE-2022-23277 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23277 |
|
10 |
Microsoft Paint 3D 代码注入漏洞 |
CNNVD-202203-711 |
CVE-2022-23282 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23282 |
|
11 |
Microsoft Windows ALPC 权限许可和访问控制问题漏洞 |
CNNVD-202203-682 |
CVE-2022-23283 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23283 |
|
12 |
Microsoft Windows Print Spooler Components 权限许可和访问控制问题漏洞 |
CNNVD-202203-685 |
CVE-2022-23284 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23284 |
|
13 |
Microsoft Remote Desktop Client 代码注入漏洞 |
CNNVD-202203-679 |
CVE-2022-23285 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23285 |
|
14 |
Microsoft Windows Cloud Files Mini Filter Driver 权限许可和访问控制问题漏洞 |
CNNVD-202203-681 |
CVE-2022-23286 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23286 |
|
15 |
Microsoft Windows ALPC 权限许可和访问控制问题漏洞 |
CNNVD-202203-680 |
CVE-2022-23287 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23287 |
|
16 |
Microsoft DWM Core Library 权限许可和访问控制问题漏洞 |
CNNVD-202203-678 |
CVE-2022-23288 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23288 |
|
17 |
Microsoft Windows COM 权限许可和访问控制问题漏洞 |
CNNVD-202203-687 |
CVE-2022-23290 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23290 |
|
18 |
Microsoft DWM Core Library 权限许可和访问控制问题漏洞 |
CNNVD-202203-683 |
CVE-2022-23291 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23291 |
|
19 |
Microsoft Windows Fastfat Driver 权限许可和访问控制问题漏洞 |
CNNVD-202203-675 |
CVE-2022-23293 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23293 |
|
20 |
Microsoft Windows Event Tracing 代码注入漏洞 |
CNNVD-202203-676 |
CVE-2022-23294 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23294 |
|
21 |
Microsoft Raw Image Extension 代码注入漏洞 |
CNNVD-202203-742 |
CVE-2022-23295 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23295 |
|
22 |
Microsoft Windows Installer 权限许可和访问控制问题漏洞 |
CNNVD-202203-677 |
CVE-2022-23296 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23296 |
|
23 |
Microsoft Windows NT OS Kernel 权限许可和访问控制问题漏洞 |
CNNVD-202203-674 |
CVE-2022-23298 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298 |
|
24 |
Microsoft Windows PDEV 权限许可和访问控制问题漏洞 |
CNNVD-202203-671 |
CVE-2022-23299 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23299 |
|
25 |
Microsoft Raw Image Extension 代码注入漏洞 |
CNNVD-202203-741 |
CVE-2022-23300 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23300 |
|
26 |
Microsoft HEVC Video Extensions 代码注入漏洞 |
CNNVD-202203-731 |
CVE-2022-23301 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23301 |
|
27 |
Microsoft VP9 Video Extensions 代码注入漏洞 |
CNNVD-202203-760 |
CVE-2022-24451 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24451 |
|
28 |
Microsoft HEVC Video Extensions 代码注入漏洞 |
CNNVD-202203-737 |
CVE-2022-24452 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24452 |
|
29 |
Microsoft HEVC Video Extensions 代码注入漏洞 |
CNNVD-202203-733 |
CVE-2022-24453 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24453 |
|
30 |
Microsoft Windows Security Account Manager 权限许可和访问控制问题漏洞 |
CNNVD-202203-670 |
CVE-2022-24454 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24454 |
|
31 |
Microsoft Windows CD-ROM Driver 权限许可和访问控制问题漏洞 |
CNNVD-202203-672 |
CVE-2022-24455 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24455 |
|
32 |
Microsoft HEVC Video Extensions 代码注入漏洞 |
CNNVD-202203-738 |
CVE-2022-24456 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24456 |
|
33 |
Microsoft HEIF Image Extensions 代码注入漏洞 |
CNNVD-202203-764 |
CVE-2022-24457 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24457 |
|
34 |
Microsoft Windows Fax and Scan Service 权限许可和访问控制问题漏洞 |
CNNVD-202203-667 |
CVE-2022-24459 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24459 |
|
35 |
Microsoft Tablet Windows User Interface 权限许可和访问控制问题漏洞 |
CNNVD-202203-668 |
CVE-2022-24460 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24460 |
|
36 |
Microsoft Office Visio 代码注入漏洞 |
CNNVD-202203-727 |
CVE-2022-24461 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24461 |
|
37 |
Microsoft .NET Core和Microsoft Visual Studio 输入验证错误漏洞 |
CNNVD-202203-701 |
CVE-2022-24464 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24464 |
|
38 |
Microsoft Azure Site Recovery 代码注入漏洞 |
CNNVD-202203-725 |
CVE-2022-24467 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24467 |
|
39 |
Microsoft Azure Site Recovery 代码注入漏洞 |
CNNVD-202203-722 |
CVE-2022-24468 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24468 |
|
40 |
Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 |
CNNVD-202203-724 |
CVE-2022-24469 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24469 |
|
41 |
Microsoft Azure Site Recovery 代码注入漏洞 |
CNNVD-202203-720 |
CVE-2022-24470 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24470 |
|
42 |
Microsoft Azure Site Recovery 代码注入漏洞 |
CNNVD-202203-719 |
CVE-2022-24471 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24471 |
|
43 |
Microsoft VP9 Video Extensions 代码注入漏洞 |
CNNVD-202203-767 |
CVE-2022-24501 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24501 |
|
44 |
Microsoft Windows ALPC 权限许可和访问控制问题漏洞 |
CNNVD-202203-669 |
CVE-2022-24505 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24505 |
|
45 |
Microsoft Windows Ancillary Function Driver for WinSock 权限许可和访问控制问题漏洞 |
CNNVD-202203-665 |
CVE-2022-24507 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24507 |
|
46 |
Microsoft SMBv3 代码注入漏洞 |
CNNVD-202203-661 |
CVE-2022-24508 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24508 |
|
47 |
Microsoft Office Visio 代码注入漏洞 |
CNNVD-202203-714 |
CVE-2022-24509 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24509 |
|
48 |
Microsoft Office Visio 代码注入漏洞 |
CNNVD-202203-713 |
CVE-2022-24510 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24510 |
|
49 |
Microsoft Azure Site Recovery 代码注入漏洞 |
CNNVD-202203-716 |
CVE-2022-24517 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24517 |
|
50 |
Microsoft Azure Site Recovery 代码注入漏洞 |
CNNVD-202203-718 |
CVE-2022-24520 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24520 |
|
51 |
Microsoft Skype Extension for Chrome 信息泄露漏洞 |
CNNVD-202203-728 |
CVE-2022-24522 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24522 |
|
52 |
Microsoft Windows Update 权限许可和访问控制问题漏洞 |
CNNVD-202203-659 |
CVE-2022-24525 |
高危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24525 |
|
53 |
Microsoft Windows Media 输入验证错误漏洞 |
CNNVD-202203-697 |
CVE-2022-21973 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21973 |
|
54 |
Microsoft Hyper-V 输入验证错误漏洞 |
CNNVD-202203-693 |
CVE-2022-21975 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21975 |
|
55 |
Microsoft Windows Media Foundation 缓冲区错误漏洞 |
CNNVD-202203-689 |
CVE-2022-22010 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22010 |
|
56 |
Microsoft Windows Point-to-Point Tunneling Protocol 输入验证错误漏洞 |
CNNVD-202203-684 |
CVE-2022-23253 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23253 |
|
57 |
Microsoft Defender 安全漏洞 |
CNNVD-202203-717 |
CVE-2022-23278 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278 |
|
58 |
Microsoft Windows Common Log File System Driver 信息泄露漏洞 |
CNNVD-202203-686 |
CVE-2022-23281 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23281 |
|
59 |
Microsoft NT LAN Manager 信息泄露漏洞 |
CNNVD-202203-673 |
CVE-2022-23297 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23297 |
|
60 |
Microsoft Word 安全特征问题漏洞 |
CNNVD-202203-726 |
CVE-2022-24462 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24462 |
|
61 |
Microsoft Exchange Server 信息泄露漏洞 |
CNNVD-202203-700 |
CVE-2022-24463 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24463 |
|
62 |
Microsoft Windows HTML Platform 安全特征问题漏洞 |
CNNVD-202203-664 |
CVE-2022-24502 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24502 |
|
63 |
Microsoft Remote Desktop Protocol Client 缓冲区错误漏洞 |
CNNVD-202203-666 |
CVE-2022-24503 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24503 |
|
64 |
Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 |
CNNVD-202203-715 |
CVE-2022-24506 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24506 |
|
65 |
Microsoft Word 输入验证错误漏洞 |
CNNVD-202203-710 |
CVE-2022-24511 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24511 |
|
66 |
Microsoft .NET Core和Microsoft Visual Studio 代码注入漏洞 |
CNNVD-202203-699 |
CVE-2022-24512 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24512 |
|
67 |
Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 |
CNNVD-202203-721 |
CVE-2022-24515 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24515 |
|
68 |
Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 |
CNNVD-202203-729 |
CVE-2022-24518 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24518 |
|
69 |
Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 |
CNNVD-202203-723 |
CVE-2022-24519 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24519 |
|
70 |
Microsoft Visual Studio Code 安全漏洞 |
CNNVD-202203-730 |
CVE-2022-24526 |
中危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24526 |
|
71 |
Microsoft Windows Media Foundation 缓冲区错误漏洞 |
CNNVD-202203-692 |
CVE-2022-21977 |
低危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21977 |
|
72 |
Microsoft Intune 安全特征问题漏洞 |
CNNVD-202203-773 |
CVE-2022-24465 |
低危 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24465 |
此次更新共包括2个影响微软产品的其他厂商漏洞的补丁程序,其中超危漏洞1个中危漏洞1个。
|
序号 |
漏洞名称 |
CNNVD编号 |
CVE编号 |
危害等级 |
厂商 |
官方链接 |
|
1 |
OpenSSL 缓冲区错误漏洞 |
CNNVD-202108-1945 |
CVE-2021-3711 |
超危 |
Openssl团队 |
https://git.openssl.org/?p=openssl.git;a=summary |
|
2 |
Google brotli Library 缓冲区错误漏洞 |
CNNVD-202009-910 |
CVE-2020-8927 |
中危 |
|
https://github.com/google/brotli/releases/tag/v1.0 |
三、修复建议
目前,微软官方已经发布补丁修复了上述漏洞,建议用户及时确认漏洞影响,尽快采取修补措施。微软官方补丁下载地址:https://msrc.microsoft.com/update-guide/en-us
