On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated the addition of two known exploited vulnerabilities to its (KEV) Catalog that impact Oracle Fusion Middleware, citing evidence of active exploitation.
Recently tracked CVE-2021-35587 vulnerability with a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 184.108.40.206.0, 220.127.116.11, and 18.104.22.16893 or earlier versions of the product while running in legacy mode on Windows operating systems with an LSA Protection Level configured to ‘None’.
Successful exploitation of the remote command execution vulnerability can allow an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.
Vietnamese security researcher Nguyen Jang (Janggggg) who reported the bug along with peterjson, earlier in March said, “It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim’s server.” Oracle addressed this issue in January 2022, as part of its Critical Patch Update.
Additional details about the nature of the attacks and their scale are not yet clear. Data from threat intelligence company GreyNoise shows that attempts to weaponize the flaw have been ongoingly originating from the U.S., China, Germany, Singapore, and Canada.
CISA has also added a recently patched heap buffer overflow flaw in the Google Chrome web browser (CVE2022-4135) to their KEV catalog – an exploit that the internet megacorp acknowledged being used in real life.
Federal agencies are required to apply the vendor patches by December 19th, 2022 to help protect their networks from potential threats.