CVE-2024-21287 - Critical Vulnerability in Oracle Agile PLM Framework: Unauthorized Access to Critical Data

Oracle Agile PLM Framework is an essential part of the Oracle Supply Chain. It is designed to streamline and manage business processes, which results in improved product quality and cost-savings. However, a vulnerability has been discovered in the Oracle Agile PLM Framework (version 9.3.6), which can lead to unauthorized access to critical data. The CVE-2024-21287 vulnerability is present in the Software Development Kit (SDK) and Process Extension component of the Oracle Supply Chain.

This vulnerability is classified as a CVSS 3.1 with a Base Score of 7.5. The CVSS vector is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). This means that the vulnerability is easily exploitable and allows an unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework, ultimately resulting in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data.

The code snippet below demonstrates the vulnerability in action

// Example exploit code for CVE-2024-21287
// NOTE: This code is for educational purposes only.

import requests

exploit_url = "http://target_oracle_agile_plm_framework/sdk/process_extension";
payload = {"some_param": "malicious_data"}

response = requests.post(exploit_url, data=payload)

if response.status_code == 200:
    print("Exploit Successful!")
else:
    print("Exploitation failed.")

Exploit Details

The attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable Oracle Agile PLM Framework using the SDK and Process Extension component. This can result in unauthorized access to critical data or even complete access to all Oracle Agile PLM Framework accessible data.

Original References

1. CVE-2024-21287: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21287
2. Oracle Critical Patch Update: https://www.oracle.com/security-alerts/cpuOct2021.html

How to fix this vulnerability?

To mitigate this vulnerability, Oracle has released a Critical Patch Update for the affected version 9.3.6. Oracle recommends that customers should apply this security patch as soon as possible to avoid unauthorized access to their critical data.

Conclusion

This critical vulnerability, CVE-2024-21287, in the Oracle Agile PLM Framework can lead to unauthorized access of critical data. Attackers can exploit the vulnerability using simple HTTP requests, making it essential for Oracle users to update their systems immediately. By applying the patch provided by Oracle and staying up-to-date with security updates, companies can ensure their data is protected and keep their systems secure.

Timeline

Published on: 11/18/2024 22:15:05 UTC
Last modified on: 11/29/2024 15:26:04 UTC