Vulnerability Management

Critical Oracle Fusion Middleware vulnerability added to CISA catalog

Active exploitation of an already patched critical Oracle Fusion Middleware flaw has prompted its inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog, The Hacker News reports. Threat actors could leverage the remote command execution vulnerability, tracked as CVE-2021-35587 and affecting Oracle Access Manager versions,, and, to facilitate total Access Manager compromise and takeovers. "It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," said security researcher Nguyen Jang, who reported the bug with researcher peterjson. Ongoing vulnerability weaponization attempts are being conducted by malicious actors in the U.S., Canada, China, Singapore, and Germany, according to threat intelligence firm GreyNoise. CISA has also added a recently addressed Google Chrome heap buffer overflow vulnerability to its KEV catalog. Both flaws should be addressed by federal agencies by Dec. 19, said CISA.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.