Bronnen

Oracle Critical Patch Update Advisory - January 2022

Risico’s

Oracle addressed an actively exploited critical vulnerability in Oracle Access Manager.

Successful exploitation of CVE-2021-35587 results in unauthenticated remote network access via HTTP, means a Full compromise of the Oracle Access Manager. An attacker could then use Oracle Access Manager to create users with any privilege or to execute arbitrary code on the victim’s server

The attack does not require any user interaction and can be executed remotely. The impact on confidentiality, integrity and availability is high.
 
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
 
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Aanbevolen acties

The CCB recommends organisations to patch vulnerable systems with the highest priority, after thorough testing. Please follow the recommendations of the Oracle Critical Update Advisory(Jan 20222).

The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.

Referenties

Known Exploited Vulnerabilities Catalog | CISA
Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis) | by Jang | Medium