The CISA has recently added two new security vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on the evidence of their exploitation in the wild. These vulnerabilities affect Oracle Fusion Middleware and Google Chrome and can be abused to take control of systems.
About the flaw impacting Oracle
The critical flaw impacting Oracle Fusion Middleware is tracked as a pre-authentication RCE vulnerability (CVE-2021-35587) and carries a CVSS score of 9.8.
It affects versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0 of Oracle Access Manager (OAM) and can be exploited by sending HTTP requests. In addition to OAM, the flaw also affects Oracle Weblogic Server11g (10.3.6.0) and OAM 11g (11.1.2.0.0), however, support for the same has stopped from January 1.
Successful exploitation of the flaw can allow unauthenticated attackers with network access to completely compromise and take over Access Manager instances.
Several PoC codes to exploit the flaw has been published on GitHub since March but according to the CISA, successful exploitation attempts have been detected now.
It is the eighth zero-day vulnerability to be discovered in the Chrome browser this year and affects versions prior to 107.0.5304.121 for Mac, Linux, and Windows.
It can be exploited by remote attackers to launch DoS attacks by putting the program in an infinite loop. Attackers can also exploit the vulnerability to execute arbitrary code or bypass existing protection mechanisms via a specially crafted HTML page.
Patch it to stay safe
Following the active exploitation of the flaws, the CISA has urged federal agencies to apply the vendor patches by December 19. Organizations using the affected products are also recommended to update to the latest versions as soon as possible to address the issues and mitigate potential threats.