Oracle today announced a critical CVE-2021-2329 vulnerability impacting all versions of their E-Business Suite from 12.2.3 through 12.2.14, specifically affecting Oracle Configurator. The issue allows unauthenticated attackers with network access via HTTP to execute two different payload chains, potentially leading to unauthorized access to critical data. Given the importance of this software to the operations of users and organizations relying on this software, this vulnerability is posing an incredible danger.
This vulnerability is characterized as low-hanging fruit. It is very much an Alladdin cave of horrors and a major risk for those who haven’t installed the required security patches. According to Oracle’s Chief Security Officer, Rob Duhart, this is a pain point for many deployments. He underscored the urgency for immediate action to mitigate the dangers associated with this defect.
Malware Deployment
This vulnerability enables the installation of various malware families, such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. As you can see, each of these malware families represents a unique and serious threat to the integrity and security of affected systems. Without proper governance in place, organizations are left vulnerable to data breaches, corruption of systems, and unauthorized access to sensitive information.
Oracle has raised the alarm about the severity of this vulnerability. Successful attacks will result in full remote access to any data exposed by the Oracle Configurator. Given the potential for large scale exploitation, all organizations should immediately begin to implement technical measures to protect their systems.
“Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.” – Oracle (via NIST’s National Vulnerability Database)
Recommended Actions
Given the risk posed by this weakness, Oracle urges organizations to quickly apply patches and updates to their systems. The company has provided further guidance to address the dangers associated with this defect. As a best practice, they urge consumers to check their defaults and make critical security practices a top priority.
Furthermore, institutions need to actively look for signs of unauthorized access, including auditing systems to identify suspicious activity. Frequent security assessments allow organizations to spot possible chinks in the armor and strengthen protections against such vulnerabilities down the road.
“Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.” – Oracle (via NIST’s National Vulnerability Database)