The US Cybersecurity and Infrastructure Security Agency (CISA) has added an unspecified vulnerability in Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects Oracle Fusion Middleware Access Manager and “allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product.” CISA has specified a mitigation due date of December 19, 2022.
Note
- Your business units are going to want to regression test updates to Fusion Middleware. While appropriate, time bound those activities so you can get the updates deployed. The update includes 39 security patches, 35 of which may be remotely exploitable without authentication, so make sure you prioritize any Internet facing applications. Updates are also tied to the version of Oracle Database used, so make sure to also apply the November database CPU.
Read more in
