Critical Oracle Fusion Middleware vulnerability added to CISA catalog

Active exploitation of an already patched critical Oracle Fusion Middleware flaw has prompted its inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog, The Hacker News reports. Threat actors could leverage the remote command execution vulnerability, tracked as CVE-2021-35587 and affecting Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0, to facilitate total Access Manager compromise and takeovers. "It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim's server," said security researcher Nguyen Jang, who reported the bug with researcher peterjson. Ongoing vulnerability weaponization attempts are being conducted by malicious actors in the U.S., Canada, China, Singapore, and Germany, according to threat intelligence firm GreyNoise. CISA has also added a recently addressed Google Chrome heap buffer overflow vulnerability to its KEV catalog. Both flaws should be addressed by federal agencies by Dec. 19, said CISA.