The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
on
Monday

added
a
critical
flaw
impacting
Oracle
Fusion
Middleware
to
its
Known
Exploited
Vulnerabilities
(KEV)
Catalog,
citing
evidence
of
active
exploitation.

The
vulnerability,
tracked
as

CVE-2021-35587,
carries
a
CVSS
score
of
9.8
and
impacts
Oracle
Access
Manager
(OAM)
versions
11.1.2.3.0,
12.2.1.3.0,
and
12.2.1.4.0.

Successful
exploitation
of
the
remote
command
execution
bug
could
enable
an
unauthenticated
attacker
with
network
access
to
completely
compromise
and
take
over
Access
Manager
instances.

“It
may
give
the
attacker
access
to
OAM
server,
to
create
any
user
with
any
privileges,
or
just
get
code
execution
in
the
victim’s
server,”
Vietnamese
security
researcher
Nguyen
Jang
(Janggggg),
who
reported
the
bug
alongside

peterjson,

noted
earlier
this
March.

The
issue
was
addressed
by
Oracle
as
part
of
its

Critical
Patch
Update
in
January
2022.

Additional
details
regarding
the
nature
of
the
attacks
and
the
scale
of
the
exploitation
efforts
are
immediately
unclear.
Data
gathered
by
threat
intelligence
firm
GreyNoise
shows
that

attempts
to

weaponize
the
flaw
have
been
ongoing
and
originate
from
the
U.S.,
China,
Singapore,
and
Canada.

Also
added
by
CISA
to
the
KEV
catalog
is
the
recently
patched
heap
buffer
overflow
flaw
in
the
Google
Chrome
web
browser
(CVE-2022-4135)
that
the
internet
giant
acknowledged
as
having
been
abused
in
the
wild.

Federal
agencies
are
required
to
apply
the
vendor
patches
by
December
19,
2022,
to
secure
networks
against
potential
threats.