The Cybersecurity and Infrastructure Security Agency (CISA) has added two new security vulnerabilities to its catalog, both having CVSS scores above the standard average. The two vulnerabilities directly affect Oracle Fusion Middleware and Google Chrome browser, allowing the hacker to take control of the victim’s systems.
According to CISA, the vulnerability within Oracle Fusion Middleware Access Manager could allow “unauthenticated attackers” to access the network via HTTP and take control of the Access Manager product. It affects Oracle Access Manager (OAM) version 22.214.171.124.0, 126.96.36.199.0, and 188.8.131.52.0 and allows threat actors to exploit them via sending an HTTP request. The other vulnerability allows threat actors to exploit Heap Buffer Overflow in the Google Chrome browser and can lead to DDoS attacks by remote attackers.
Apart from compromising two Oracle Access Manager (OAM) versions, the vulnerability also affected the Oracle Weblogic Server 11 g (10.3.6.0) and OAM 11g. Those using these two versions should update immediately because the support was stopped on January 1, 2022. If left open, the vulnerability can allow hackers to exploit it to take unauthenticated users to take control of the Access Manager instances.
CISA has confirmed that the vulnerabilities were open in the wild, several threat actors had already successfully exploited them, and traces of these exploits had already been detected. Moreover, many PoC codes to exploit scripts have been uploaded since March on GitHub.
The second vulnerability, tracked as CVE-2022-4135, is a Heap Buffer Overflow bug that directly impacts the Google Chrome browser. According to sources, it is the eighth zero-day vulnerability detected in Chrome this year and is believed to affect the previous version of Chrome 107.0.5304. Since the vulnerability exists within the Chrome ecosystem affects Mac, Linux, and Windows operating systems. According to Cyware, the vulnerability can be exploited to launch DoS attacks by putting the program in an infinite loop.
Mitigation for CVE-2021-35587 and CVE-2022-4135
CISA has asked federal agencies and customers to patch the bugs by December 19. Organizations that use the impacted products should update the most recent versions as quickly as possible to resolve the flaws and mitigate any hazards, recommended the CISA announcement.