Critical Oracle Identity Manager Flaw Under Active exploitation – Urgent Patching Required
A notable security vulnerability in Oracle Identity Manager is currently being exploited by threat actors, prompting an urgent warning from the Cybersecurity and Infrastructure security Agency (CISA). Federal Civilian Executive Branch (FCEB) agencies have been given until December 12th to apply a necessary patch, as mandated by Binding Operational Directive (BOD) 22-01.
This vulnerability represents a common entry point for malicious cyber activity and poses a ample risk to organizations relying on Oracle Identity Manager. CISA has emphasized the severity of the situation, though specific details regarding the initial exploitation remain undisclosed.
Evidence of Early Exploitation
Recent research suggests the flaw may have been exploited as a “zero-day” – meaning attackers were leveraging it before a patch was available – as early as August 30th. Analysis of network traffic reveals suspicious activity targeting specific URLs within the Identity Manager application.
Specifically, researchers observed HTTP POST requests directed to these endpoints:
* /iam/governance/applicationmanagement/templates;.wadl
* /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
These requests align with a publicly shared exploit detailed by Searchlight Cyber. The activity originated from three distinct IP addresses – 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 – but all utilized the same browser user agent, indicating a potential single attacker.
What This Means For You
If you utilize Oracle Identity Manager, immediate action is crucial. you should prioritize patching your systems before the December 12th deadline to mitigate the risk of compromise.
Here’s what you need to do:
* Verify your Oracle Identity manager version. Determine if your installation is affected by the vulnerability.
* Apply the official Oracle patch immediatly. Don’t delay; the window of opportunity for attackers is open.
* Monitor your systems for suspicious activity. Look for unusual HTTP POST requests targeting the endpoints listed above.
* Review your security logs. Search for any evidence of unauthorized access or exploitation attempts.
Understanding the Threat
The consistent use of the same browser user agent – mimicking Google Chrome 60 on Windows 10 – suggests attackers are attempting to blend in with legitimate traffic. This tactic makes detection more challenging, highlighting the importance of proactive monitoring and threat hunting.
While the full scope of the exploitation remains under inquiry, the evidence strongly suggests active targeting of this vulnerability. It’s vital to treat this as a serious threat and take immediate steps to protect your organization.
We have reached out to Oracle for comment and will update this article as more facts becomes available. Staying informed and acting swiftly are your best defenses against this evolving threat.
