Oracle patches exploited Agile PLM vulnerability (CVE-2024-21287)
Oracle has released a security patch for CVE-2024-21287, a remotely exploitable vulnerability in the Oracle Agile PLM Framework that is, according to Tenable researchers, being actively exploited by attackers.
About CVE-2024-21287
Oracle Agile PLM Framework is an enterprise product lifecycle management solution that enables collaboration between the various teams involved.
CVE-2024-21287 affects version 9.3.6 of the Agile PLM Framework – more specifically, the Agile Software Development Kit and the Process Extension components.
“This vulnerability is remotely exploitable [via HTTP and HTTPS protocol] without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure,” Oracle shared in the associated advisory.
The NVD entry for the vulnerability details that “successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data”.
CrowdStrike’s researchers Joel Snape and Lutz Wolf have been credited with reporting the flaw.
Exploitation
Tenable Research’s threat landscape status says that “in the wild exploitation has been observed”.
“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company said, but did not mention the vulnerability being leveraged by attackers.
We’ve asked for more details from Oracle, Tenable and Crowdstrike and we’ll update this article if we receive a relevant reply.
UPDATE (November 19, 2024, 11:55 a.m. ET):
In a separate post, Eric Maurice, VP of Security Assurance at Oracle, said the vulnerability “was reported as being actively exploited ‘in the wild’ by CrowdStrike”.