Security News > 2022 > November > CISA Warns of Actively Exploited Critical Oracle Fusion Middleware Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.
Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.
"It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," Vietnamese security researcher Nguyen Jang, who reported the bug alongside peterjson, noted earlier this March.
The issue was addressed by Oracle as part of its Critical Patch Update in January 2022.
Also added by CISA to the KEV catalog is the recently patched heap buffer overflow flaw in the Google Chrome web browser that the internet giant acknowledged as having been abused in the wild.
News URL
http://thehackernews.com/2022/11/cisa-warns-of-actively-exploited.html
Related news
- CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- CISA extends funding to ensure 'no lapse in critical CVE services' (source)
- CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- CISA warns of increased breach risks following Oracle Cloud leak (source)
- Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-01-19 | CVE-2021-35587 | Unspecified vulnerability in Oracle Access Manager 11.1.2.3.0/12.2.1.3.0/12.2.1.4.0 Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). | 0.0 |