Flash Notice: Oracle Vulnerability Actively Exploited

December 1, 2022

overview

A patched vulnerability found in Oracle’s Fusion Middleware Access Manager (OAM) is currently under active exploitation. CVE-2021-35587 allows attackers with network access via HTTP to take over the Access Manager product. Oracle Fusion Middleware is a cloud platform used by large factories and telecom carriers.

CVE-2021-35587 has a CVSS base score of 9.8 and has been placed on the Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV). As stated, the vulnerability was patched in January 2022, but if CISA is adding it to the KEV catalog then it means that one or more systems were not updated within the appropriate time frame - enabling attackers to exploit it.

Security researcher Nguyen Jang, who contributed to reporting the bug, stated earlier in the year that the flaw could “give an attacker access to the OAM server, to create any user with any privileges or just get code execution in the victim’s server.” There are no details regarding the nature of the current attacks or the scale of exploitation efforts. However, data from the intelligence firm GreyNoise shows that attempts to exploit CVE-2021-35587 are ongoing and originate from Germany, the U.S., Canada, and Singapore.

How Avertium is Protecting Our CUSTOMERS

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack.
Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts.

Avertium's recommendations

CVE-2021-35587 affects the following versions of Oracle Access Manager:

11.2.3.0
12.1.3.0
12.1.4.0
Oracle Access Manager has been patched in the above supported versions
Federal agencies have until December 19, 2022 to secure their networks against a potential threat. Ensure the patch for all devices has updated. Patch guidance can be found here.
According to Oracle, vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.

The flaw also affects Oracle WebLogic Server:

11g - 10.3.5.0
OAM 11g – 11.1.2.0.0 (which reached end of life on January 1, 2022 and therefore does not have a patch)

INDICATORS OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with CVE-2021-35587. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.