Exploitation of critical vulnerability in Oracle E-Business Suite

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – Critical (CVSS v3 score of 9.8): Compromise may result in the loss of confidentiality and integrity of data.

Several compromises have been detected, pertaining to a vulnerability in the Oracle E-Business Suite (EBS). The vulnerability, tracked as CVE-2022-21587, relates to critical arbitrary file upload capabilities.

Oracle E-Business Suite is a packaged collection of enterprise applications utilised for a range of tasks such as customer relationship management (CRM), enterprise resource planning (ERP) and human capital management (HCM).

Impact

Successful exploitation of this vulnerability could result in threat actors, with network access via HTTP, hijacking the Oracle Web Applications Desktop Integrator (CVE-2022-21587, CVE-2022-39428), leading to a potential unauthenticated remote code execution.

Threat actors have been detected as having implemented a proof of concept exploit. This involves the upload of a Perl script, which fetches (via curl/wget) additional script components to download a malicious binary payload, leading to the victim host becoming an integrated part of a botnet.

Vulnerability Detection

Oracle has released the required security patch for the vulnerability for the respective product versions. As such, previous versions (detailed below) are vulnerable to potential exploit.

Affected Products

• Oracle Web Applications Desktop Integrator versions: 12.2.3 – 12.2.11

Containment, Mitigations & Remediations

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the relevant security patch as soon as possible. It is also advised that users monitor Oracle’s advisory for further details. The upgraded version is as follows:

– Oracle Web Applications Desktop Integrator version: 12.2.12

Indicators of Compromise

No specific Indicators of Compromise (IoC) are available at this time.

Threat Landscape

In terms of market share, the Oracle E-Business Suite is currently in the top tier of enterprise application providers. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, Oracle products have become a prime target for threat actors. Due to the fact that enterprise application suites have become an integral aspect of business affairs, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to exfiltrate the sensitive data contained therein.

Threat Group

No attribution to specific threat actors/groups has been identified at the time of this writing.

Mitre Methodologies

Lateral Movement:

T1210 – Exploitation of Remote Services

Command and Control:

T1105 – Ingress Tool Transfer

Further Information

National Vulnerability Database Reference
Rapid7 Blog
Tenable Report