Security News > 2022 > November > CISA Warns of Actively Exploited Critical Oracle Fusion Middleware Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.
Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.
"It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," Vietnamese security researcher Nguyen Jang, who reported the bug alongside peterjson, noted earlier this March.
Also added by CISA to the KEV catalog is the recently patched heap buffer overflow flaw in the Google Chrome web browser that the internet giant acknowledged as having been abused in the wild.
Federal agencies are required to apply the vendor patches by December 19, 2022, to secure networks against potential threats.
News URL
https://thehackernews.com/2022/11/cisa-warns-of-actively-exploited.html
Related news
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
- CISA confirms that SonicWall vulnerability is getting exploited (CVE-2024-40766) (source)
- GitLab warns of critical pipeline execution vulnerability (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks (source)
- PoC for critical SolarWinds Web Help Desk vulnerability released (CVE-2024-28987) (source)
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-19 | CVE-2021-35587 | Unspecified vulnerability in Oracle Access Manager 11.1.2.3.0/12.2.1.3.0/12.2.1.4.0 Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). | 9.8 |