CVE-2022-21622 The Oracle SOA Suite product is affected by a vulnerability in the Adapters component. The vulnerable versions are 12.2.1.3.0 and 12.2.1.4.0.

Oracle SOA Suite versions affected: Oracle SOA Suite 12.2.1.3.0 Oracle SOA Suite 12.2.1.4.0 Fix information: Apply the patch level of the applicable SOA Suite version. CVE number: CVE-2018-3744. Cisco Talos has published another update today, which is related to a critical vulnerability in Oracle SOA Suite. Cisco Talos has rated the vulnerability with CVSS 3.1 base score. Cisco TalOS has announced details about a critical vulnerability in Oracle SOA Suite that can be exploited by attackers to obtain unauthorized access to critical data or to cause a high impact. Cisco Talos has also warned about an increased risk of exploitation during the month of February 2019 due to the increased reliance on so-called “Internet of Things” (IoT) devices. Cisco Talos has published another advisory today, which is related to a critical vulnerability in Oracle SOA Suite. Cisco Talos has rated the vulnerability with CVSS 3.1 base score. Cisco Talos has announced details about a critical vulnerability in Oracle SOA Suite that can be exploited by attackers to obtain unauthorized access to critical data or to cause a high impact. Cisco TalOS has also warned about an increased risk of exploitation during the month of February 2019 due to the increased reliance on so-called “Internet of Things” (IoT) devices. Cisco Talos has published another advisory today, which is related to a

Vulnerability Description

A vulnerability in Oracle SOA Suite 12.2.1.3 and 12.2.1.4 allows attackers to bypass HTTP authentication when accessing an API that is not protected with a security-manager, and then perform arbitrary actions on behalf of the authenticated user account, or escalate privileges to the user’s home directory, or gain access to sensitive information on the system such as session tokens, passwords, or credentials used to authenticate services when accessing APIs in other domains.

Description of the vulnerability

The vulnerability has been given the name CVE-2022-21622. Cisco Talos has revealed that Oracle SOA Suite versions 12.2.1.3.0, 12.2.1.4.0 are affected by this vulnerability and that an attacker could exploit the vulnerability using a SOAP request when an applet is used in polling mode to access data contained in the SOA service's XML Document Object Model (DOM).

Software Description:

Oracle SOA Suite is Oracle's enterprise-ready, multi-tenant, service delivery platform that combines the power of Oracle WebLogic Server and Java EE with Oracle Service Bus for a complete application integration solution.

Oracle SOA Suite 12.2.1.3.0 | CVE-2018-3744
Oracle SOA Suite 12.2.1.4.0 | CVE-2018-3744

Critical vulnerability in Oracle SOA Suite

A critical vulnerability in Oracle SOA Suite could be exploited by attackers to obtain unauthorized access to critical data or cause a high impact. Cisco Talos has rated this vulnerability as CVSS 5.8.1 base score.

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References

• https://www.oracle.com/security-alerts/cpuoct2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21622