Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including critical remote code execution flaws in Oracle products and Apache HugeGraph-Server. Federal agencies are mandated to address these vulnerabilities by October 9, 2024, to safeguard their networks.
Threat Actor: Various threat actors | various threat actors
Victim: Federal agencies and private organizations | federal agencies and private organizations
Key Point :
- CVE-2024-27348: Apache HugeGraph-Server has a remote command execution vulnerability affecting versions before 1.3.0.
- CVE-2022-21445: Oracle JDeveloper has a critical remote code execution vulnerability with a CVSS score of 9.8.
- CVE-2020-14644: Oracle WebLogic Server is vulnerable to remote code execution, also rated 9.8 on the CVSS scale.
- CVE-2019-1069: Microsoft Windows Task Scheduler has an elevation of privilege vulnerability that was actively exploited.
- CVE-2020-0618: Microsoft SQL Server Reporting Services has a remote code execution vulnerability due to improper handling of page requests.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall SonicOS, ImageMagick and Linux Kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these vulnerabilities:
- CVE-2024-27348 Apache HugeGraph-Server Improper Access Control Vulnerability
- CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
- CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
- CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability
- CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability
CVE-2022-21445 vulnerability (CVSS score of 9.8) is a remote code execution issue in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces). An unauthenticated attacker with network access via HTTP could exploit the flaw to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in the takeover of Oracle JDeveloper. The flaw affects 12.2.1.3.0 and 12.2.1.4.0 versions. According to the advisory, it is easily exploitable.
CVE-2020-14644 vulnerability (CVSS score of 9.8) is a remote code execution issue in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). An unauthenticated attacker with network access via IIOP could exploit this vulnerability to compromise Oracle WebLogic Server. Successful exploitation can result in the takeover of Oracle WebLogic Server.
The flaw affects versions 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 and is easily exploitable.
CVE-2019-1069 vulnerability (CVSS score of 7.8) is an elevation of privilege issue in the way the Task Scheduler Service validates certain file operations, aka ‘Task Scheduler Elevation of Privilege Vulnerability’.
An attacker could exploit the flaw to gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system.
The flaw was disclosed by the researcher SandboxEscaper in June, and Microsoft addressed it in the same month with the release of Patch Tuesday security updates.
At the time, Microsoft confirmed the issue was exploited in attacks in the wild.
CVE-2020-0618 vulnerability (CVSS score of 7.8) is a remote code execution issue in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. It allows remote attackers to execute arbitrary code on the system by exploiting a memory corruption flaw in the processing of certain crafted page requests.
CVE-2024-27348 vulnerability (CVSS score of 9.8) is a Remote Command Execution issue in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11.
An attacker could exploit this flaw to bypass sandbox restrictions and potentially execute remote code.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by October 9, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)