Security News > 2023 > February > CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack
The U.S. Cybersecurity and Infrastructure Security Agency on February 2 added two security flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The first of the two vulnerabilities is CVE-2022-21587, a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.
"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator," CISA said.
The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022.
Not much is known about the nature of the attacks exploiting the vulnerability.
The development comes a week after CISA also added CVE-2017-11357, a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.
News URL
https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html
Related news
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing (source)
- CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation (source)
- Mitel MiCollab, Oracle WebLogic Server vulnerabilities exploited by attackers (source)
- CISA orders agencies to patch BeyondTrust bug exploited in attacks (source)
- CISA Adds Second BeyondTrust Flaw to KEV Catalog Amid Active Attacks (source)
- CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List (source)
- CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25 (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- CISA orders agencies to patch Linux kernel bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-18 | CVE-2022-21587 | Missing Authentication for Critical Function vulnerability in Oracle E-Business Suite Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). | 0.0 |
| 2017-08-23 | CVE-2017-11357 | Unrestricted Upload of File with Dangerous Type vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | 9.8 |