Security News > 2022 > February > NHS urges orgs to apply security update for Okta Client RCE bug

NHS urges orgs to apply security update for Okta Client RCE bug
2022-02-25 18:58

The UK's NHS Digital agency is warning organizations to apply new security updates for a remote code execution vulnerability in the Windows client for the Okta Advanced Server Access authentication management platform.

"NHS Digital is the national digital, data and technology delivery partner for the NHS and social care system," explains the website for NHS Digital.

In an NHS Digital Cyber Alert released yesterday, all organizations are advised to apply the latest patches for the Okta Advanced Server Client to fix an RCE vulnerability disclosed last week.

Last week, Okta disclosed a new remote code execution vulnerability tracked as CVE-2022-24295, allowing remote attackers to perform command injection via a specially crafted URL. Remote code execution attacks can lead to complete system control, perform silent data exfiltration, lateral network movement, and initial access to corporate networks.

Okta released Advanced Server Access Client version 1.57.0 last week, but the application of available security updates needs to pick up pace as threat actors are likely to start scanning the web to find vulnerable deployments.

The vendor hasn't provided any mitigations or workarounds, so the remediation advice is limited to updating to the latest client available from Okta.


News URL

https://www.bleepingcomputer.com/news/security/nhs-urges-orgs-to-apply-security-update-for-okta-client-rce-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-21 CVE-2022-24295 Code Injection vulnerability in Okta Advanced Server Access Client for Windows
Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.
network
low complexity
okta CWE-94
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Okta 7 0 3 6 0 9