The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw affecting Oracle Fusion Middleware systems to its Known Exploited Vulnerabilities (KEV) Catalog on Monday.
The bug, which CISA confirmed has been exploited in the wild, allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks targeting this vulnerability can consequently result in the program's takeover.
Because of these factors, the vulnerability (tracked CVE-2021-35587) has been assigned a CVSS 3.1 base score of 9.8.
"CISA has grown more proactive in adding vulnerabilities to the list when they pose a threat," commented Mike Parkin, senior technical engineer at Vulcan Cyber.
"That's especially apparent when the vulnerability is being actively exploited in the wild, as these appear to be. We can expect to see this happen more often as they take a more aggressive stance on dealing with threats to the organizations they protect."
Oracle addressed the flaw as part of its Critical Patch Update Advisory in January this year. The fact that CISA is now adding it to its KEV Catalog means that one or more systems had not been adequately updated within this time frame, enabling attackers to exploit the bug.
"Whenever stories like these break, they should be used by security teams as an opportunity to lobby for security budget and prioritization," said Jamie Boote, associate principal consultant at the Synopsys Software Integrity Group.
"When the government acknowledges that unpatched vulnerabilities that have been out for nearly a year are a problem, it can be [a] much-needed assist to struggling security teams."
In the same announcement, CISA also added to the KEV Catalog the heap buffer overflow flaw in the Chrome web browser (CVE-2022-4135) that Google confirmed had also been exploited in the wild and more recently patched.
"Browser exploits have gone down in recent years. However, their importance has only increased as the primary interface almost everyone has to everything they do on the internet," said John Bambenek, principal threat hunter at Netenrich.
"Anytime there is active exploitation, it only increases the importance to update machines quickly. My only real concern is that a three-week deadline gives attackers plenty of time to keep racking up wins in the meantime. This has to get much faster."
The news comes two months after secure cloud experts at Wiz discovered a separate vulnerability in Oracle Cloud Infrastructure (OCI) that would allow unauthorized access to the cloud storage volumes of all users.