Styra’s OPA Vulnerability Leaves NTLM Hashes Open to Remote Attacks
October 23, 2024ICS: Multiple Schneider Electric Data Center Expert Vulnerabilities
October 23, 2024Styra’s OPA Vulnerability Leaves NTLM Hashes Open to Remote Attacks
October 23, 2024ICS: Multiple Schneider Electric Data Center Expert Vulnerabilities
October 23, 2024Severity
High
Analysis Summary
CVE-2024-21278 CVSS:8.1
Vulnerability in the Oracle Contract Lifecycle Management for Public Sector product of Oracle E-Business Suite (component: Award Processes). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Contract Lifecycle Management for Public Sector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data.
CVE-2024-21277 CVSS:8.1
Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing.
CVE-2024-21276 CVSS:8.1
Vulnerability in the Oracle Work in Process product of Oracle E-Business Suite (component: Messages). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Work in Process. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Work in Process accessible data as well as unauthorized access.
CVE-2024-21275 CVSS:8.1
Vulnerability in the Oracle Quoting product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.7-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quoting. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Quoting accessible data as well as unauthorized access to critical data.
CVE-2024-21274 CVSS:7.5
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
CVE-2024-21271 CVSS:8.1
Vulnerability in the Oracle Field Service product of Oracle E-Business Suite (component: Field Service Engineer Portal). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Field Service accessible data as well as unauthorized access.
CVE-2024-21272 CVSS:7.5
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.
CVE-2024-21268 CVSS:8.1
Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Diagnostics). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications Manager accessible data as well as unauthorized access.
CVE-2024-21270 CVSS:8.1
Vulnerability in the Oracle Common Applications Calendar product of Oracle E-Business Suite (component: Tasks). Supported versions that are affected are 12.2.6-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Common Applications Calendar. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Common Applications Calendar accessible data.
CVE-2024-21269 CVSS:8.1
Vulnerability in the Oracle Incentive Compensation product of Oracle E-Business Suite (component: Compensation Plan). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Incentive Compensation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Incentive Compensation accessible data.
CVE-2024-21267 CVSS:8.1
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Cost Management accessible data as well as unauthorized access.
Impact
- Gain Access
- Privilege Escalation
Indicators of Compromise
CVE
- CVE-2024-21278
- CVE-2024-21277
- CVE-2024-21276
- CVE-2024-21275
- CVE-2024-21274
- CVE-2024-21271
- CVE-2024-21272
- CVE-2024-21268
- CVE-2024-21270
- CVE-2024-21269
- CVE-2024-21267
Affected Vendors
Affected Products
- Oracle Corporation Oracle Contract Lifecycle Management for Public Sector - 12.2.3
- Oracle Corporation Oracle MES for Process Manufacturing - 12.2.3
- Oracle Corporation Oracle Work in Process - 12.2.3
- Oracle Corporation Oracle Quoting - 12.2.7
- Oracle Corporation Oracle WebLogic Server - 12.2.1.4.0 - 14.1.1.0.0
- Oracle Corporation Oracle Field Service - 12.2.3
- Oracle Corporation MySQL Connectors - *
- Oracle Corporation Oracle Common Applications Calendar - 12.2.6
- Oracle Corporation Oracle Incentive Compensation - 12.2.3
- Oracle Corporation Oracle Cost Management - 12.2.12
Remediation
Refer to Oracle Critical Patch Update Advisory, upgrade or suggested workaround information.