November 20, 2024 at 05:36AM
Oracle announced patches for a critical information disclosure vulnerability (CVE-2024-21287) in Agile Product Lifecycle Management (PLM), which has been actively exploited. The flaw allows remote, unauthenticated attackers to access files under PLM application privileges. Users are urged to apply the updates promptly, as support for Agile PLM will end in 2027.
### Meeting Takeaways:
1. **Vulnerability Announcement**: Oracle has released patches for a critical information disclosure vulnerability in Agile Product Lifecycle Management (PLM), tracked as CVE-2024-21287, with a CVSS score of 7.5.
2. **Affected Version**: The zero-day vulnerability affects Agile PLM version 9.3.6 and can be exploited remotely without requiring authentication.
3. **Exploitation Details**:
– The vulnerability has been actively exploited in the wild.
– An unauthenticated user could potentially download files accessible under the PLM application’s privileges.
4. **Advisory Notes**:
– Oracle advises immediate application of the provided updates to mitigate the risk posed by this vulnerability.
– Customers are strongly encouraged to act promptly in response.
5. **Attribution**: The vulnerability was reported by Joel Snape and Lutz Wolf of CrowdStrike, and was publicly acknowledged by Eric Maurice, Oracle VP of security assurance.
6. **No Technical Details Provided**: There is currently a lack of technical information regarding the vulnerability and its exploitation from both Oracle and CrowdStrike.
7. **Future Discontinuation of Agile PLM**: Oracle plans to discontinue Agile PLM in April 2024, with premier support ending on December 31, 2027.
8. **Further Inquiry**: SecurityWeek has sought additional information from Oracle and CrowdStrike regarding the in-the-wild exploitation of the vulnerability.
### Action Items:
– Ensure relevant stakeholders are informed about the vulnerability and the necessity of applying patches.
– Monitor for updates from Oracle and CrowdStrike regarding CVE-2024-21287.