关联漏洞
标题:Oracle E-Business Suite 访问控制错误漏洞 (CVE-2022-21587)Description:Oracle E-Business Suite(电子商务套件)是美国甲骨文(Oracle)公司的一套全面集成式的全球业务管理软件。该软件提供了客户关系管理、服务管理、财务管理等功能。 Oracle E-Business Suite 的 Oracle Web Applications Desktop Integrator 12.2.3-12.2.11 版本存在安全漏洞。未经身份验证的攻击者通过 HTTP 进行网络访问,从而破坏 Oracle Web Applications Desktop Integrat
Description
CVE-2022-21587
介绍
# 🚨 **CVE-2022-21587** – Critical Oracle E-Business Suite RCE via unauthenticated file upload! ⚠️
## 🔍 **Quick Facts**
- **CVE ID**: CVE-2022-21587
- **Published**: October 18, 2022
- **Updated**: Last modified May 2023 (NVD)
- **CVSS v3.1 Base Score**: 9.8 (Critical)
- Attack Vector: Network 🌐
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality/Integrity/Availability: High/High/High
- **CWE**: CWE-434 (Unrestricted Upload of File with Dangerous Type)
- **Vendor**: Oracle Corporation
- **Product**: Oracle E-Business Suite
- **Affected Component**: Web Applications Desktop Integrator (Forms)
- **Root Cause**: Improper validation of file uploads in `BneUploaderServlet`
---
##🔥 **Vulnerability Mechanics**
<img width="802" height="256" alt="uuencoding" src="https://github.com/user-attachments/assets/059d923f-3ce9-498e-9ab4-ec7184dd54fb" />
Attackers send crafted HTTP POST requests to:
```
POST /OA_HTML/BneUploaderServlet HTTP/1.1
```
with malicious `.class` or `.jsp` payloads disguised as legitimate uploads. No login required! 🔓
Example payload snippet (PoC-style):
```http
Content-Disposition: form-data; name="uploadFile"; filename="evil.jsp"
Content-Type: application/octet-stream
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
```
→ Executes arbitrary OS commands on the server 🧨
<img width="1920" height="956" alt="CVE-2022-21587" src="https://github.com/user-attachments/assets/46000759-9a74-42df-9959-f71f635fed1c" />
---
##🛠️ **Exploitation in the Wild**
- **First Observed**: January 2023
- **CISA KEV Catalog**: Added February 2, 2023 (Deadline: Feb 23, 2023 for FCEB)
- **Threat Actors**:
- Used in ransomware precursor campaigns
- Automated scanners (Mirai-like bots, custom Python scripts)
- Public PoCs on GitHub (search: `CVE-2022-21587 exploit`)
- **Notable Incidents**:
- Rapid7 MDR: Multiple customer compromises in Feb 2023
- Shadowserver: Scanning spikes post-disclosure
<img width="899" height="281" alt="Step-1" src="https://github.com/user-attachments/assets/ad89209d-567b-4e3a-bfe1-8374bb3cd2cb" />
---
## 🎯 **Affected Versions** (Unpatched)
| Release | Patched In |
|--------|------------|
| 12.1.1 – 12.1.3 | Oct 2022 CPU |
| 12.2.3 – 12.2.12 | Oct 2022 CPU |
> **Note**: Only systems with **Web Applications Desktop Integrator** enabled are vulnerable.
---
## 🛡️ **Mitigation & Hardening**
<img width="572" height="612" alt="Capture-d--cran-2024-07-19---14 57 29" src="https://github.com/user-attachments/assets/28028741-0458-47b4-b4af-1c78c9b8fec6" />
1. **Apply Patch** ✅
- Download: [Oracle CPU Oct 2022](https://www.oracle.com/security-alerts/cpuoct2022.html)
- Patch IDs: `34416369`, `34416370` (per release)
2. **Network Segmentation** 🔒
```bash
# Example: Block external access
iptables -A INPUT -p tcp --dport 8000 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
```
3. **WAF / IPS Rules** 🛑
- Block `.jsp`, `.class`, `.jar` in `/OA_HTML/`
- Signature example (Snort):
```
alert tcp any any -> $HTTP_SERVERS 80 (msg:"CVE-2022-21587 Attempt"; flow:to_server; content:"BneUploaderServlet"; http_uri; pcre:"/BneUploaderServlet/i"; classtype:web-application-attack; sid:1000001;)
```
4. **Detection Queries** 🔍
- **Web Logs**:
```apache
*BneUploaderServlet* AND (*..jsp* OR *..class*)
```
- **SIEM**: Look for `POST /OA_HTML/BneUploaderServlet` with `Content-Type: multipart/form-data`
5. **Disable if Unused**
- Deactivate WebADI via System Administrator responsibility if not needed.
---
## 🔗 **Official References**
- [NVD – CVE-2022-21587](https://nvd.nist.gov/vuln/detail/CVE-2022-21587)
- [Oracle Security Alert](https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixEBS)
- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (Search CVE)
- [Rapid7 Blog – Exploitation Trends](https://www.rapid7.com/blog/post/2023/02/15/cve-2022-21587-oracle-e-business-suite-vulnerability-exploitation/)
---
## ⚡ **Bonus: Quick Health Check Script (Bash)**
```bash
#!/bin/bash
URL="http://your-ebs-host:8000/OA_HTML/BneUploaderServlet"
curl -s -o /dev/null -w "%{http_code}" -X POST "$URL" -F "uploadFile=@test.txt"
# Returns 200? → Likely vulnerable (pre-patch behavior)
```
---
文件快照
[4.0K] /data/pocs/22ee68914a2c1bfb401d4f9b932c9ea020c200f6
├── [1.7K] CVE-2022-21587.py
├── [3.9K] CVE-2022-21587.yaml
└── [4.4K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。