Aperçu
Oracle Concurrent Processing versions 12.2.3 through 12.2.14 contain a critical remote code execution vulnerability accessible via unauthenticated HTTP network access. This vulnerability allows unauthenticated attackers to fully compromise affected systems without requiring authentication. La vulnérabilité a été divulguée le October 5, 2025. CISA a identifié CVE-2025-61882 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Oracle Concurrent Processing, a critical component of Oracle E-Business Suite (EBS), contains a remote code execution vulnerability that can be exploited by unauthenticated attackers over HTTP. The vulnerability allows attackers to execute arbitrary code on the server with the privileges of the web server process, leading to complete system compromise.
La vulnérabilité est classifiée comme CWE-287 (Improper Authentication) , CWE-434 (Unrestricted Upload of File with Dangerous Type) etCWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary code on the affected system with the privileges of the Oracle Concurrent Processing application. This can lead to: complete system compromise, unauthorized access to sensitive business data, modification or deletion of critical business records, disruption of business operations, lateral movement within the organization's network, and installation of persistent backdoors for ongoing access.
Mitigation et contournements
1. Download the latest Oracle Critical Patch Update (CPU) from Oracle Support (https://support.oracle.com) 2. Review the patch documentation and prerequisites 3. Apply the patch following Oracle's patching procedures for E-Business Suite 4. Test in a non-production environment before applying to production 5. Schedule maintenance window and apply to all affected Concurrent Processing instances 6. Verify patch installation with appropriate integrity checks Les versions suivantes incluent les correctifs nécessaires : Oracle Concurrent Processing 12.2.15 or later, Apply Oracle Critical Patch Update (CPU) from January 2025 or later.
Comme contournements temporaires : restrict network access to oracle concurrent processing http endpoints using firewall rules, waf (web application firewall), or network segmentation. limit access to trusted ip addresses/networks only.; disable http access and require https with client certificate authentication where possible. configure the application to reject unauthenticated requests.; place oracle concurrent processing behind a reverse proxy or api gateway with authentication enforcement, rate limiting, and input validation., et implement web application firewall (waf) rules to detect and block exploitation attempts targeting this vulnerability..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
