November 19, 2024 at 03:00PM
Oracle has addressed a critical unauthenticated file disclosure vulnerability (CVE-2024-21287) in its Agile PLM software, which was exploited as a zero-day. Users are urged to update immediately to prevent unauthorized file access. The flaw was reported by CrowdStrike and has a CVSS score of 7.5.
**Meeting Takeaways:**
1. **Vulnerability Identified**: Oracle has addressed an unauthenticated file disclosure vulnerability in Oracle Agile Product Lifecycle Management (PLM), identified as CVE-2024-21287, which was actively exploited as a zero-day.
2. **Impact of the Flaw**: The vulnerability allows for remote exploitation without authentication, exposing the potential for unauthorized file downloads.
3. **Customer Urgency**: Oracle strongly recommends that Agile PLM customers promptly install the latest updates to mitigate the risk posed by CVE-2024-21287.
4. **Disclosure of Vulnerability**: The flaw was reported by security researchers Joel Snape and Lutz Wolf from CrowdStrike, and although initially not indicated as exploited, subsequent confirmation from Oracle’s Vice President of Security Assurance, Eric Maurice, stated that it has been exploited “in the wild.”
5. **Severity Rating**: The CVE-2024-21287 vulnerability has been assigned a CVSS Base Score of 7.5, indicating a significant risk.
6. **Current Exploit Details**: There remains ambiguity regarding the specific methods of exploitation and whether any particular threat actors are responsible for current attacks.
7. **Pending Responses**: BleepingComputer has reached out to CrowdStrike and Oracle for additional information but has yet to receive any responses.