WARNING: CRITICAL VULNERABILITY IN ORACLE BI PUBLISHER V7.0.0.0.0/12.2.1.4.0 COULD LEAD TO APPLICATION TAKEOVER, PATCH IMMEDIATELY!
CVE-2024-21082: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Oracle BI Publisher is Oracle Analytics' enterprise reporting solution for authoring, managing, and delivering formatted documents. The company released its April 2024 Critical Patch Update, addressing among others critical 9.8 vulnerability CVE-2024-21082, which could result in application takeover. Compromise could have high impact on confidentiality, integrity and availability of data and systems.
At the time of writing, there are no indications that the vulnerability is actively exploited.
Description
CVE-2024-21082 is a vulnerability in the XML Services component of the affected software.
An unauthenticated attacker with network access via HTTP could easily compromise Oracle BI Publisher and successfully take over the application.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.