Oracle Agile PLM Vulnerability

Executive Summary

On November 18, 2024 Oracle disclosed in a security advisory that they had discovered a vulnerability in their Agile Product Lifecycle Management (PLM) Framework.  The vulnerability, CVE-2024-21287 allowed for unauthorized threat actors to access system information found via the PML Framework without any form of authentication, making it a severe vulnerability to address. Due to the severity and ease of exploitability, Oracle strongly encourages users of their Agile PLM Framework version 9.3.6 to update their systems.

Background

Oracle is an international technology company that focuses on providing services including software, hardware, and cloud computing technology to help businesses manage and organize system data [1].  Oracle’s Agile PLM Framework is an application that aids businesses with management of data, systems, and processes, with a great appeal due to its ease of scalability for internationally distributed organizations [2].

The initial discovery of the vulnerability was credited to CrowdStrike researchers Joel Snape and Lutz Wolf.  CVE-2024-21287 was given a base score of 7.5 and a ranking of high indicating the severe nature of the vulnerability.  The CVSS Vector /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicates that the attack vector takes place on the network.  It also indicates that the complexity is ranked as low, does not require user privileges or interaction, and has a high impact on system confidentiality [3].

Exploitation

While the full details on how the vulnerability was being exploited have not been released, exploitation depended on the threat actor obtaining network access via HTTP.  The nature of the vulnerability did not require authentication (username and password), making the vulnerability easy to exploit and providing the ability to compromise systems via Oracle’s Agile PLM Framework.  Successful exploitation could have allowed for threat actors to access sensitive and critical information and any data accessible to the PML Framework without authorization [3].

Significance and Impact

Due to the ease of exploitability, and CrowdStrike finding real time instances of CVE-2024-21287 being exploited, the potential impact is grave.  Attackers who successfully exploit the vulnerability have complete unauthorized access to any systems, files, and any information that is accessible from the PLM application, leaving systems and organizations extremely vulnerable [4].

Mitigation

To mitigate the vulnerability, Oracle strongly recommends that any customers using their Agile PLM Framework, specifically version 9.3.6, update their application [5].  It is especially imperative that users update their application since the vulnerability is being actively exploited [4].  Additionally, users can follow these tactics to help strengthen their cybersecurity posture:

1. Allowing automatic updates for system applications
2. Enabling multi factor authentication
3. Segmenting networks and organizational data

Conclusion

Oracle’s Agile PLM Vulnerability stresses the importance for users to swiftly apply updates from application vendors to protect their systems and organization from harm.  While vulnerability discovery is vital to the protection of systems, security patches are crucial to be applied on the user end.  Additionally, it is important for users and organizations to exercise a strong security posture beyond applying application updates when they are released.  Always use a strong and complex password, segment networks and systems, and enable multi factor authentication when possible.

References

[1] Oracle. (n.d.). Oracle https://www.oracle.com/

[2] Vulnera. (2024, November 19). Oracle Addresses Zero-Day Exploit in Agile PLM Software. https://vulnera.com/newswire/oracle-addresses-zero-day-exploit-in-agile-plm-software/

[3] NIST (2024, November 18). CVE-2024-21287 Detail. https://nvd.nist.gov/vuln/detail/CVE-2024-21287

[4] Maurice, E. (2024, November 18). Security Alert CVE-2024-21287 Released. https://blogs.oracle.com/security/post/alert-cve-2024-21287

[5] Oracle. (2024, November 18). Oracle Security Alert Advisory – CVE-2024-21287. https://www.oracle.com/security-alerts/alert-cve-2024-21287.html#AppendixSCP