Oracle Agile PLM flaw open to N-days: The other vulnerability, fixed in January 2024, is a high severity (CVSS 8.8/10) flaw in the export component of the Oracle’s PLM software, and stems from the improper handling of serialized data. It’s tracked as CVE-2024-20953. Successful exploitation could enable a low-privileged attacker with network access via HTTP to execute arbitrary codes, potentially allowing full system takeover.The flaw affects Oracle Agile PLM version 9.3.6 and received a fix from Oracle in a January 2024 critical patch update. Although immediate patching was strongly recommended for complete protection, a workaround was also available for quicker relief.”Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle said in an advisory. “For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack.”CISA’s update highlights the importance of promptly patching critical deserialization vulnerabilities that can enable complete system takeover.In another example of offering obvious advice that is nevertheless not always followed, the federal agency recently described buffer overflow flaws in code as “unforgivable” for their criticality and the fact that most of them can be avoided through the straightforward practice of shifting to memory safe languages.Federal Civilian Executive Branch (FCEB) networks, the non-military federal government networks managed by civilian agencies in the US, have been urged to promptly patch the latest vulnerabilities as per the BOD 22-01 directive.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3832453/critical-deserialization-bugs-in-adobe-oracle-software-actively-exploited-warns-cisa.html
