A new critical vulnerability has been discovered in the Oracle BI Publisher product of Oracle Fusion Middleware, potentially allowing unauthorized access to sensitive information. The affected component of the software is BI Publisher Security, and supported versions impacted include 5.5..., 12.2.1.3., and 12.2.1.4.. The vulnerability has been assigned a CVE identifier CVE-2022-21346.
The exploit is easily exploitable, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data.
The vulnerability has been assigned a CVSS 3.1 Base Score of 7.5, reflecting the serious confidential impact of the exploit. The CVSS Vector associated with this issue is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Code Snippet
Please note that the actual code snippet to exploit this vulnerability has been intentionally omitted to prevent malicious use. However, it would be essential for the code to leverage the weak point in Oracle BI Publisher Security, which may involve bypassing authentication mechanisms.
For more information related to this vulnerability, consider the following resources
1. Oracle's official description of the vulnerability can be found in their Critical Patch Update Advisory - Oracle Fusion Middleware Risk Matrix.
2. The National Vulnerability Database (NVD) also provides useful details, found here.
Exploit Details
Though specific details of exploiting the vulnerability are withheld to deter malicious use, the general outline is as follows:
The attacker needs to have network access via HTTP to the targeted Oracle BI Publisher instance.
2. The attacker exploits the vulnerability in BI Publisher Security to bypass authentication or otherwise gain unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data.
Due to the potential severity of this vulnerability, users are strongly advised to apply security patches provided by Oracle in their latest Critical Patch Update (CPU) as soon as possible. Regularly updating and patching software is crucial in maintaining the security and integrity of your systems.
It is essential to remain vigilant and informed about the latest vulnerabilities, and actively take necessary precautions to protect your organization's valuable data and resources. Monitoring official advisories and staying up-to-date with the latest patches can significantly reduce your risk of falling victim to such exploits.
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 19:00:00 UTC