September 19, 2024 at 11:06AM
CISA added critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including two Oracle flaws (CVE-2022-21445 and CVE-2020-14644). These can be exploited for remote code execution and system takeover. The flaws impact Oracle Fusion Middleware’s JDeveloper and WebLogic Server, and are linked to reported attacks on major organizations’ systems.
Key takeaways from the meeting notes:
– CISA added two Oracle product vulnerabilities, tracked as CVE-2022-21445 and CVE-2020-14644, to its Known Exploited Vulnerabilities (KEV) Catalog.
– CVE-2022-21445 affects the JDeveloper product of the Oracle Fusion Middleware platform, particularly the ADF Faces component, with a critical rating, allowing unauthenticated attackers to execute remote code and take over the targeted system.
– Likewise, CVE-2020-14644 impacts WebLogic Server, also rated as critical, enabling unauthenticated attackers to execute remote code and compromise the targeted system.
– These vulnerabilities, while discovered two years apart, are connected and can be exploited together.
– A ‘mega’ vulnerability, CVE-2022-21445, affected various Oracle applications reliant on the ADF Faces component, with the potential to compromise online systems and cloud services.
– Although there are no public reports of attacks involving these vulnerabilities, CISA occasionally adds vulnerabilities to its KEV catalog based on privately received reports.
Please let me know if you need further details or additional information.