Warning: A Pre-authentication remote code execution for Oracle access manager is actively being exploited
CVE-2021-35587 CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Oracle addressed an actively exploited critical vulnerability in Oracle Access Manager.
Successful exploitation of CVE-2021-35587 results in unauthenticated remote network access via HTTP, means a Full compromise of the Oracle Access Manager. An attacker could then use Oracle Access Manager to create users with any privilege or to execute arbitrary code on the victim’s server
The attack does not require any user interaction and can be executed remotely. The impact on confidentiality, integrity and availability is high.
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
In January 2022 Oracle released a Critical Patch Update containing 39 security patches for Oracle Fusion Middleware. The update contains a patch for CVE-2021-35587.
CVE-2021-35587 is a critical vulnerability in the Oracle Access Manager that is part of the Oracle Fusion Middleware suite. The vulnerability affects the “OpenSSO component” found in Oracle Access Manager. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to compromise the Oracle Access Manager via HTTP. The attacker can create users with any privileges to move laterally and/or execute arbitrary code on the victim’s server.
· Oracle Access Manager (Oracle Fusion Middleware suite)
· 220.127.116.11.0 (End of Life, no patch available)
The CCB recommends organisations to patch vulnerable systems with the highest priority, after thorough testing. Please follow the recommendations of the Oracle Critical Update Advisory(Jan 20222).
The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.