On Monday, November 28, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2021-35587 and CVE-2022-4135 to its Known Exploited Vulnerabilities Catalog and provided an update based on evidence of active exploitation. CVE-2021-35587 is associated with Oracle Fusion Middleware Access Management, which is an enterprise level Single Sign-on (SSO) solution. CVE-2021-35587 allows for Pre-auth Remote Code Execution in Oracle Fusion Middleware for full take over of Oracle Access Manager. CVE-2022-4135 is associated with Google Chromium. Both are critical vulnerabilities observed as being actively exploited in the wild. This post focuses on CVE-2021-35587 because this is where Censys can help.
About CVE-2021-35587
CVE-2021-35587 was published in January 2022. It is a vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware. The vulnerability allows an unauthenticated (Pre-auth) attacker with network access via HTTP to compromise Oracle Access Manager and take full control of the system to conduct Remote Code Execution (RCE). Given Oracle Access Manager defined in the installation guide has an “enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services,” this can have severe consequences for victims of such attacks.
The first proof of concept (PoC) exploit was published in March 2022 by security researchers “Janggggg” and “Peterjson”. Since then, other PoCs have appeared as well, providing attackers with a variety of options. However, the vulnerability has not been observed to be exploited in the wild … until now.
What’s changed?
CISA has confirmed that CVE-2021-35587 is being actively exploited in the wild, but did not provide additional details about the attacks. GreyNoise Intelligence has observed attacks attempting to exploit this vulnerability from at least 6 unique IPs exploited in the last month. The attacks appear to originate from the United States, China, Germany, Singapore, and Canada. At this time, the attacks do not appear to be widespread.
How can Censys help?
There are currently 151 exposed Oracle Access Management systems accessible from the Internet. Identifying Oracle Access Manager hosts using Censys can be done by using the CPE identifier.
services.software.uniform_resource_identifier: `cpe:2.3:a:oracle:access_manager:*:*:*:*:*:*:*:*`
host.services.software.uniform_resource_identifier: `cpe:2.3:a:oracle:access_manager:*:*:*:*:*:*:*:*`
Censys Attack Surface Management customers will now have access to a new risk to identify exposed Oracle Access Management systems in their attack surface. Given this is a security tool, it should not be accessible from the Internet in a traditional organization. All ASM risks related to Oracle Access Manager can be found here using the search term: “risks.name: oracle”.
