Exploitation attempts for Oracle E-Business Suite flaw observed after PoC release

Threat actors started exploiting a critical Oracle E-Business Suite flaw, tracked as CVE-2022-21587, shortly after a PoC was published.

Shadowserver researchers warn that threat actors have started attempting to exploit critical Oracle E-Business Suite flaw (CVE-2022-21587) shortly after a PoC was published.

The E-Business Suite is a set of enterprise applications that allows organizations automate processes such as supply chain management (SCM), enterprise resource planning (ERP), and customer relationship management (CRM).

The vulnerability resides in the Web Applications Desktop Integrator of Oracle’s enterprise product and was addressed in October 2022.

An unauthenticated attacker can easily exploit the flaw via HTTP to take over Oracle Web Applications Desktop Integrator installs. The issue impacts versions 12.2.3-12.2.11.

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.” reads the advisory.

Shadowserver reported to have observed first exploitation attempts on January 21, only five days after the cybersecurity firm Viettel Cyber Security released a PoC exploit code for this issue.

The researchers recommend to install the patch from Oracle to address the issue, however, if they cannot do it, that can use the firewall to block requests sent to the following URLs:

• /OA_HTML/BneUploaderService
• /OA_HTML/BneViewerXMLService
• /OA_HTML/BneDownloadService
• /OA_HTML/BneOfflineLOVService

US CISA added the CVE-2022-21587 flaw to its Known Exploited Vulnerabilities (KEV) catalog ordering federal agencies to fix it by February 23, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-21587)