CVE-2024-21067
📋 TL;DR
This vulnerability in Oracle Enterprise Manager Base Platform allows a low-privileged attacker with local access to the host to completely compromise the system, potentially affecting other connected products. It affects version 13.5.0.0 of the Host Management component. The attack requires local access but can lead to full system takeover.
💻 Affected Systems
- Oracle Enterprise Manager Base Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Oracle Enterprise Manager Base Platform leading to full administrative control, data theft, and potential lateral movement to other connected Oracle products.
Likely Case
Attacker with local user privileges gains full control over the Enterprise Manager instance, allowing them to modify configurations, access sensitive data, and disrupt management operations.
If Mitigated
With proper network segmentation and strict access controls, impact is limited to the isolated management segment, though the compromised system would still need remediation.
🎯 Exploit Status
Oracle describes this as 'easily exploitable' but requires low privileged attacker with logon access to the infrastructure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply patch from Oracle Critical Patch Update April 2024
Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2024.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from My Oracle Support. 2. Apply the patch following Oracle's Enterprise Manager patching procedures. 3. Restart the Oracle Enterprise Manager services. 4. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local login access to Oracle Enterprise Manager hosts to only authorized administrators
Network Segmentation
allIsolate Oracle Enterprise Manager hosts from general user networks and implement strict firewall rules
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into the Oracle Enterprise Manager host
- Monitor for suspicious activity on the Enterprise Manager host and review access logs regularly
🔍 How to Verify
Check if Vulnerable:
Check if Oracle Enterprise Manager version is 13.5.0.0 and verify patch statusCheck Version:
emctl status oms -details (on the OMS host)Verify Fix Applied:
Verify that the April 2024 Critical Patch Update has been applied to the Enterprise Manager installation📡 Detection & Monitoring
Log Indicators:
- Unusual local login activity on Enterprise Manager host
- Suspicious process execution by low-privileged users
- Unexpected configuration changes in Enterprise Manager
Network Indicators:
- Unusual outbound connections from Enterprise Manager host
- Suspicious management traffic patterns
SIEM Query:
source="oracle-em-logs" AND (event_type="local_login" OR event_type="privilege_escalation")