"Pre-auth RCE in Oracle Fusion Middleware Exploited in the Wild (CVE-2021-35587)"
The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a pre-authentication Remote Code Execution (RCE) flaw in Oracle Access Manager (OAM), tracked as CVE-2021-35587, which was fixed in January 2022, is being exploited in the wild. The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The vulnerability exists in the OAM product's OpenSSO Agent component, which corporations widely use for Single Sign-On (SSO) as part of the Oracle Fusion Middleware suite. It could enable an unauthenticated attacker with HTTP network access to compromise OAM and use it to create users with any privileges or execute arbitrary code on the victim's server. The vulnerability affected OAM v11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0 and has been patched in those supported versions, but it also affects Oracle Weblogic Server 11g (10.3.6.0) and OAM 11g (11.1.2.0.0), which were no longer supported on January 1, 2022, and thus do not have a patch available for this RCE vulnerability. In addition, several Proof-of-Concept (PoC) exploits for the pre-authentication RCE flaw have been published on GitHub after the researchers who discovered it released a portion of theirs in March 2022. CISA has now detected successful exploitation attempts but has not yet provided information about these attacks. Since this vulnerability has been added to the KEV catalog, US Federal Civilian Executive Branch agencies must implement patches by December 19, 2022. This article continues to discuss the pre-authentication RCE flaw found in OAM.