www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITY IN ORACLE BI PUBLISHER V7.0.0.0.0/12.2.1.4.0 COULD LEAD TO APPLICATION TAKEOVER, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-57
Version: 
1.0
Affected software: 
Oracle BI Publisher v7.0.0.0.0/12.2.1.4.0
Type: 
XML Services vulnerability
CVE/CVSS: 

CVE-2024-21082: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://www.oracle.com/security-alerts/#CriticalPatchUpdates
https://www.oracle.com/security-alerts/cpuapr2024.html
https://www.oracle.com/security-alerts/cpuapr2024verbose.html#ANLY

Risks

Oracle BI Publisher is Oracle Analytics' enterprise reporting solution for authoring, managing, and delivering formatted documents. The company released its April 2024 Critical Patch Update, addressing among others critical 9.8 vulnerability CVE-2024-21082, which could result in application takeover. Compromise could have high impact on confidentiality, integrity and availability of data and systems.

At the time of writing, there are no indications that the vulnerability is actively exploited.

Description

CVE-2024-21082 is a vulnerability in the XML Services component of the affected software.

An unauthenticated attacker with network access via HTTP could easily compromise Oracle BI Publisher and successfully take over the application.

 

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21082