- The Cybersecurity and Infrastructure Security Agency has added 2 new vulnerabilities affecting Oracle and Google products to its Known Exploited Vulnerabilities Catalog.
- The vulnerability affecting Google Chrome will be patched with the next update, which will be rolled out in the following days.
- The critical Oracle Fusion Middleware vulnerability was patched in January 2022 but hackers are still exploiting the unpatched versions in the wild.
The Cybersecurity and Infrastructure Security Agency announced that the organization has added a critical vulnerability affecting Oracle Fusion Middleware to its Known Exploited Vulnerability Catalog, which means it is under active exploitation. CISA also stated that these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks.
Oracle Access Manager and Google Chrome
One of the vulnerabilities affects Google’s popular web browser, Chrome. The vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group and it will be patched with the release of 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows. Google stated that an exploit for the vulnerability exists in the wild.
CVE-2022-4135 – Google Chrome Heap Buffer Overflow Vulnerability: Google Chrome GPU contains a heap buffer overflow vulnerability that allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
The second vulnerability impacts Oracle Access Manager. It has a CVSS score of 9.8 and affects Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. The vulnerability allows an unauthenticated third party with network access to compromise and take over Access Manager instances. The vulnerability was patched in an update released in January 2022.
CVE-2021-35587 – Oracle Fusion Middleware Unspecified Vulnerability: Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice.