Warning: Unauthenticated Data Exposure Vulnerability in Oracle Agile Product Lifecycle Management (PLM) patch immediately!

Reference:
Advisory #2024-270

Version:
1.0

Affected software:
Oracle Agile PLM Framework, version 9.3.6

Type:
Unauthenticated Data Access

CVE/CVSS:

CVE-2024-21287
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Sources

https://www.oracle.com/security-alerts/alert-cve-2024-21287.html

Risks

Easily exploitable vulnerability in Oracle Agile PLM Framework version 9.3.6 allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework.

Description

A vulnerability in Oracle Agile PLM Framework (component: SDK, Process Extension) affects version 9.3.6. It allows unauthenticated attackers with HTTP access to compromise the system, potentially exposing critical or all accessible data.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

• https://www.oracle.com/security-alerts/alert-cve-2024-21287.html