### #ZeroDayExploits #AppleSecurity #OracleVulnerabilities
Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added new vulnerabilities to its Known Exploited Vulnerabilities catalog, including critical flaws in Apple and Oracle products that are actively being exploited. Apple has released security updates addressing two zero-day vulnerabilities that could lead to severe security risks.
Threat Actor: Unknown | unknown
Victim: Apple, Oracle | Apple, Oracle
Key Point :
- CVE-2024-44309: A cookie management issue in WebKit that can lead to cross-site scripting (XSS) attacks.
- CVE-2024-44308: A vulnerability in JavaScriptCore allowing arbitrary code execution when processing malicious web content.
- CVE-2024-21287: An incorrect authorization vulnerability in Oracle Agile PLM Framework, enabling unauthenticated access to critical data.
- Federal agencies must address these vulnerabilities by December 12, 2024, to protect their networks.
- Google’s Threat Analysis Group discovered the Apple vulnerabilities, indicating potential links to advanced threat actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability
- CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability
- CVE-2024-21287 Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability
This week, Apple released security updates for two zero-day vulnerabilities, tracked as CVE-2024-44309 and CVE-2024-44308, in iOS, iPadOS, macOS, visionOS, and Safari web browser, which are actively exploited in the wild.
The vulnerability CVE-2024-44309 is a cookie management issue in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content.
“Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” reads the advisory.
Apple addressed the cookie management issue with improved state management.
The vulnerability CVE-2024-44308 impacts the JavaScriptCore and could lead to arbitrary code execution when processing malicious web content.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” reads the advisory.
The company fixed the issue with improved checks.
The IT giant did not disclose details about the attack or attribute it to specific threat actors.
Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group discovered both vulnerabilities.
Google’s Threat Analysis Group (TAG) focuses on protecting users by monitoring and countering advanced persistent threats (APTs) and cyber-espionage activities, often involving commercial spyware. This suggests that the two flaws may be part of an exploit employed by an advanced threat actor.
The vulnerability CVE-2024-21287 is an incorrect authorization issue in Oracle Agile PLM Framework (version 9.3.6) that allows unauthenticated attackers to access critical or all data via HTTP.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by December 12, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)