Executive Summary

The Oracle Critical Patch Update (CPU) for October 2024 addresses a significant number of security vulnerabilities, totaling 334, across various Oracle product families. This report delves into the critical vulnerabilities identified, their potential exploitation in the wild, and the associated Advanced Persistent Threat (APT) groups. It also outlines specific mitigation strategies to safeguard against these vulnerabilities. The sectors and countries targeted by these vulnerabilities are not explicitly mentioned, but the nature of the vulnerabilities suggests a broad impact across industries relying on Oracle technologies.

Technical Information

The October 2024 CPU encompasses a wide array of Oracle products, including Oracle Database, Oracle Fusion Middleware, Oracle Java SE, and Oracle MySQL, among others. Noteworthy vulnerabilities include CVE-2024-21216, a critical flaw in Oracle WebLogic Server's Core component, which is exploitable via T3 and IIOP protocols. This vulnerability has a CVSS score of 9.8, indicating its high severity and potential impact. Another significant vulnerability is CVE-2024-45492, found in Oracle Outside In Technology, specifically affecting the DC-Specific Component (LibExpat), also with a CVSS score of 9.8. Additionally, CVE-2024-5535 affects multiple MySQL components, including MySQL Cluster and MySQL Server, due to issues in OpenSSL.

The vulnerabilities in Oracle WebLogic Server, particularly CVE-2024-21216, pose a substantial risk as they can be exploited remotely, allowing unauthorized access to sensitive data and systems. The exploitation of T3 and IIOP protocols is a common vector for threat actors targeting enterprise environments. Similarly, the vulnerabilities in Oracle Outside In Technology and MySQL components highlight the critical need for organizations to maintain updated and secure configurations of their software environments.

Exploitation in the Wild

Oracle has reported active attempts to exploit these vulnerabilities in the wild. Specifically, CVE-2024-21216 has been a target for threat actors, who leverage the T3 and IIOP protocols to gain unauthorized access to Oracle WebLogic Server instances. Indicators of Compromise (IOCs) for this vulnerability include unusual network activity on the T3 and IIOP ports, unauthorized access attempts, and unexpected system behavior.

APT Groups using this vulnerability

While specific APT groups have not been directly linked to these vulnerabilities, the exploitation techniques align with known Tactics, Techniques, and Procedures (TTPs) of groups targeting enterprise software vulnerabilities. These include T1190: Exploit Public-Facing Application and T1210: Exploitation of Remote Services. These TTPs are commonly employed by APT groups seeking to infiltrate enterprise networks and exfiltrate sensitive data.

Affected Product Versions

The affected product versions include Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, Oracle Outside In Technology version 8.5.7, MySQL Cluster versions 7.5.35 and prior, 7.6.31 and prior, 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior, MySQL Server versions 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior, MySQL Connectors version 9.0.0 and prior, MySQL Enterprise Backup versions 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior, MySQL Enterprise Monitor version 8.0.39 and prior, and MySQL Workbench version 8.0.38 and prior.

Workaround and Mitigation

Oracle strongly recommends applying the October 2024 CPU patches immediately to mitigate these vulnerabilities. For CVE-2024-21216, it is advised to restrict network access to Oracle WebLogic Server instances and monitor for unusual activity on T3 and IIOP protocols. For CVE-2024-5535, organizations should ensure that OpenSSL libraries are updated and configured securely across all MySQL components. Additionally, implementing network segmentation and robust access controls can further reduce the risk of exploitation.

References

For more detailed information, please refer to the Oracle Critical Patch Update Advisory - October 2024 available at https://www.oracle.com/security-alerts/cpuoct2024.html. Additional insights can be found in the Known Exploited Vulnerabilities Catalog by CISA at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive visibility into your security posture, enabling proactive identification and mitigation of vulnerabilities. Should you have any questions about this report or require further assistance, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your organization's critical assets.