Lucene search

K
thnThe Hacker NewsTHN:8DEF040F235E88FCB18313526D0E4C2F
HistoryFeb 03, 2023 - 5:23 a.m.

CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack

2023-02-0305:23:00
The Hacker News
thehackernews.com
117
cisa alert
oracle e-business suite
sugarcrm
vulnerabilities
exploitation
cve-2022-21587
cve-2023-22952
missing input validation
critical patch update

EPSS

0.97

Percentile

99.8%

Oracle and SugarCRM Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.

The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.

β€œOracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator,” CISA said.

The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022. Not much is known about the nature of the attacks exploiting the vulnerability, but the development follows the publication of a proof-of-concept (PoC) by cybersecurity firm Viettel on January 16, 2023.

The second security flaw to be added to the KEV catalog is CVE-2023-22952 (CVSS score: 8.8), which relates to a case of missing input validation in SugarCRM that could result in the injection of arbitrary PHP code. The bug has been fixed in SugarCRM versions 11.0.5 and 12.0.2.

The development comes a week after CISA also added CVE-2017-11357 (CVSS score: 9.8), a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.

In light of active exploitation attempts, Federal Civilian Executive Branch (FCEB) agencies in the U.S. are required to apply the patches by February 23, 2023.

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.