US
CISA
added
actively
exploited
vulnerabilities
in
SugarCRM
and
Oracle
products
to
its
Known
Exploited
Vulnerabilities
Catalog.
The
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
added
Oracle
and
SugarCRM
flaws,
respectively
tracked
as
CVE-2022-21587
and
CVE-2023-22952,
to
its Known
Exploited
Vulnerabilities
Catalog.
The
CVE-2022-21587
flaw
(CVSS
score
9.8)
affects
the
Oracle
E-Business
Suite,
which
is
a
set
of
enterprise
applications
that
allows
organizations
automate
processes
such
as
supply
chain
management
(SCM),
enterprise
resource
planning
(ERP),
and
customer
relationship
management
(CRM).
The
vulnerability
resides
in
the
Web
Applications
Desktop
Integrator
of
Oracle’s
enterprise
product
and
was
addressed
in
October
2022.
An
unauthenticated
attacker
can
easily
exploit
the
flaw
via
HTTP
to
take
over
Oracle
Web
Applications
Desktop
Integrator
installs.
The
issue
impacts
versions
12.2.3-12.2.11.
Shadowserver
researchers
reported
having
observed
first
exploitation
attempts
on
January
21,
only
five
days
after
the
cybersecurity
firm
Viettel
Cyber
Security
released
a PoC
exploit code
for
this
issue.
The
CVE-2023-22952
flaw
(CVSS
score
8.8)
is
a
Remote
Code
Execution
vulnerability
that
affects
multiple
SugarCRM
products.
According
to Binding
Operational
Directive
(BOD)
22-01:
Reducing
the
Significant
Risk
of
Known
Exploited
Vulnerabilities,
FCEB
agencies
have
to
address
the
identified
vulnerabilities
by
the
due
date
to
protect
their
networks
against
attacks
exploiting
the
flaws
in
the
catalog.
Experts
recommend
also
private
organizations
review
the Catalog and
address
the
vulnerabilities
in
their
infrastructure.
CISA
orders
federal
agencies
to
fix
these
vulnerabilities
by
February
23,
2023.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
Known
Exploited
Vulnerabilities
Catalog)