Feb 03, 2023Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
on February 2 added[1]
two security flaws to its Known Exploited Vulnerabilities (KEV)
Catalog, citing evidence of active exploitation.
The first of the two vulnerabilities is CVE-2022-21587[2]
(CVSS score: 9.8), a critical issue impacting versions 12.2.3 to
12.2.11 of the Oracle Web Applications Desktop Integrator
product.
“Oracle E-Business Suite contains an unspecified vulnerability
that allows an unauthenticated attacker with network access via
HTTP to compromise Oracle Web Applications Desktop Integrator,”
CISA said[3].
The issue was addressed by Oracle as part of its Critical Patch Update[4]
released in October 2022. Not much is known about the nature of the
attacks exploiting the vulnerability.
The second security flaw to be added to the KEV catalog is
CVE-2023-22952[5]
(CVSS score: 8.8), which relates to a case of missing input validation[6] in SugarCRM that could
result in the injection of arbitrary PHP code. The bug has been
fixed in SugarCRM versions 11.0.5 and 12.0.2.
The development comes a week after CISA also added CVE-2017-11357[7]
(CVSS score: 9.8), a severe security vulnerability impacting
Telerik UI that could facilitate arbitrary file uploads or remote
code execution.
In light of active exploitation attempts, Federal Civilian
Executive Branch (FCEB) agencies in the U.S. are required to apply
the patches by February 23, 2023.
Found this article interesting? Follow us on Twitter [8]
and LinkedIn[9]
to read more exclusive content we post.
References
- ^
added
(www.cisa.gov) - ^
CVE-2022-21587
(nvd.nist.gov) - ^
said
(www.cisa.gov) - ^
Critical
Patch Update (www.oracle.com) - ^
CVE-2023-22952
(nvd.nist.gov) - ^
missing
input validation (thehackernews.com) - ^
CVE-2017-11357
(nvd.nist.gov) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html