UK’s NHS Digital warns of an RCE in Okta Advanced Server Access client

The UK’s NHS Digital agency warns of an RCE in the Windows client for the Okta Advanced Server Access authentication management platform.

The UK’s NHS Digital agency published a security advisory to warn organizations of a remote code execution flaw, tracked as CVE-2022-24295, impacting the Windows client for the Okta Advanced Server Access authentication management platform.

Okta Advanced Server Access provides Zero Trust identity and access management for cloud and on-premises infrastructure, it is used by thousands of compainies worldwide.

The vulnerability affects Okta Advanced Server Access Client for Windows prior to version 1.57.0.

The vulnerability is a remote code execution issue, remote attackers can trigger the vulnerability to perform command injection via a specially crafted URL.

“Okta has released a security update to address a remote code execution (RCE) vulnerability. A remote, unauthenticated attacker could exploit this command injection vulnerability by sending a specially crafted URL and take control of an affected system.” reads the advisory published by the company.

The successful exploitation of the vulnerability can lead to complete takeover of the vulnerable system.

The agency urges organizations to install security patches to address the vulnerability.

The vendor did not provide technical details about the issue to avoid its malicious exploitation in the wild. Customers have to apply the update urgently due to the absence of mitigations or workarounds.

The NHS Digital’s advisory also states that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228.

“In addition to the main vulnerability mentioned in this cyber alert, please note that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. Further information can be found on Okta Security Advisories page and the blog post Okta’s response to CVE-2021-44228 (“Log4Shell”).” continues the advisory.

“NHS and social care organisations are invited visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989 and to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected products.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NHS Digital)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.