Saturday November 23, 2024

Advisory ID: ngCERT-2024-0014

Summary: 

Multiple critical vulnerabilities have been reported in Oracle products. The identified security flaws could allow attackers to remotely execute code, manipulate data, or gain unauthorized access to systems. Notably, security research revealed that over 200 vulnerabilities can be exploited remotely by unauthenticated attackers. Nonetheless, Oracle has released its Critical Patch Update (CPU) including 441 security patches, with over 200 addressing remotely exploitable flaws. Also, the released updates include patches for third-party components in Solaris, Oracle Linux, and Oracle VM Server for x86. Accordingly, users are advised to upgrade their products to the latest versions as recommended. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Oracle

CVE(s): CVE-2024-21107, CVE-2024-21118, CVE-2024-21119, CVE-2024-21109, CVE-2024-21110, CVE-2024-21116, CVE-2024-21016, CVE-2024-21017, CVE-2024-21018, CVE-2024-21019, CVE-2024-21020, CVE-2024-21021, CVE-2024-21022, CVE-2024-21023, CVE-2024-21024, CVE-2024-21025, CVE-2024-21026, CVE-2024-21027, CVE-2024-21028, CVE-2024-21029, CVE-2024-21030, CVE-2024-21031, CVE-2024-21032, CVE-2024-21033, CVE-2024-21034, CVE-2024-21035, CVE-2024-21036, CVE-2024-21037, CVE-2024-21038, CVE-2024-21039, CVE-2024-21040, CVE-2024-21041, CVE-2024-21042, CVE-2024-21043, CVE-2024-21044, CVE-2024-21045, CVE-2024-21046, CVE-2024-21086, CVE-2024-21120

Description: 

The critical vulnerabilities discovered in Oracle products could be exploited by cyber criminals to remotely execute code, manipulate data, steal data or gain unauthorized access to systems. Remote code execution vulnerabilities are flaws in software and systems that allow an attacker to gain remote unauthorised access as well as run malicious code on a target system. Thereafter, an attacker can exfiltrate sensitive data, destroy data or execute Denial of Service (DoS) attack. Some of the products fixed in the recent critical patch update include; Oracle Database Servers, Oracle Communications Applications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle banking and financial services platforms, Oracle identity managers, Oracle customers management platforms, Oracle hospitality management platforms, Oracle healthcare management platforms, Oracle database management platforms, Oracle communications management platforms, amongst many other products (see https://www.oracle.com/security-alerts/cpuapr2024.html). 

Consequences: 

Successful exploitations of the vulnerabilities could result to:

  • Unauthorised access to sensitive data.
  • Security restriction bypass
  • Data manipulations and exfiltration.
  • System compromise.
  • Privilege Escalation.
  • Financial loss.
  • Fraudulent activities.
  • Reputational Damage.
  • Denial of Service (DoS).
  • Cross-site scripting. 

Solution: 

Due to the threat posed by a successful attack, Oracle strongly recommends that:

  • Users of Oracle products should immediately apply the security updates recently released by Oracle accessible at (https://www.oracle.com/security-alerts/cpuapr2024.html)
  • Until the Critical Patch Update patches are applied, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
  • Customers should immediately upgrade to supported versions of their products.

References: