Latest Vulnerabilities in FortiSIEM, Oracle WebLogic, Apache Tomcat: CVE-2024-23108, CVE-2024-23109, CVE-2024-20931, CVE-2024-21733
The ever-evolving landscape of cybersecurity presents new challenges every day, with vulnerabilities emerging that demand our immediate attention. In this blog post, we will delve into the latest critical vulnerabilities affecting popular software solutions. Specifically, we will focus on significant vulnerabilities impacting Fortinet’s FortiSIEM solution, Oracle WebLogic Server, and Apache Tomcat. These vulnerabilities have recently come to light, posing potential risks to both organizations and individuals.
FortiSIEM Impacted by Critical OS Command Injection Vulnerabilities, CVE-2024-23108 and CVE-2024-23109
Fortinet has recently disclosed two critical vulnerabilities that impact the FortiSIEM (Fortinet Security Information and Event Management) supervisor, a cybersecurity solution designed to assist businesses in preventing breaches, identifying anomalies, and detecting threats.
The vulnerabilities, identified as CVE-2024-23108 and CVE-2024-23109, have maximum CVSS scores of 10.0 and involve OS command injection.
The vulnerabilities stem from FortiSIEM’s inadequate sanitization of input, including special characters and control elements, before processing them as OS commands. This can enable remote, unauthenticated threat actors to manipulate API requests and execute unauthorized commands, gain access to data, and potentially modify or delete it.
The affected FortiSIEM versions are as follows:
- 7.1.0 – 7.1.1
- 7.0.0 – 7.0.2
- 6.7.0 – 6.7.8
- 6.6.0 – 6.6.3
- 6.5.0 – 6.5.2
- 6.4.0 – 6.4.2
Fortinet has already addressed these vulnerabilities and advises system administrators to promptly update their instances to version 7.1.2 or above, or to the respective upcoming versions of FortiSIEM, to mitigate the risk of exploitation.
It is worth noting that searching for these vulnerabilities led to another Fortinet advisory regarding CVE-2023-34992, which was fixed in October 2023. The new vulnerabilities, CVE-2024-23108 and CVE-2024-23109, are known to impact the same FortiSIEM versions as CVE-2023-34992. It is expected that these new vulnerabilities will eventually be assigned the same classification or that Fortinet will release additional details about them in the near future.
Stay informed and safeguard your assets with SOCRadar’s proactive approach to vulnerability management.
With SOCRadar’s comprehensive monitoring of vulnerabilities, you can stay one step ahead in protecting your organizational assets. The Attack Surface Management (ASM) module provides valuable insights into the vulnerabilities impacting your assets, allowing you to prioritize patching efforts effectively.
Oracle WebLogic Server Vulnerability (CVE-2024-20931): Nearly 3 Million Instances Exposed
In its latest January 2024 patch, Oracle has addressed a significant vulnerability affecting WebLogic Server’s T3\IIOP protocol. This vulnerability, tracked as CVE-2024-20931, was reported to Oracle in October 2023 and is classified as a bypass for a previous vulnerability (CVE-2023-21839) in Oracle WebLogic Server.
The Proof-of-Concept (PoC) demonstration of this vulnerability highlights a new attack surface involving the JNDI (Java Naming and Directory Interface) API provided by Oracle as part of the Java platform.
The vulnerability occurs when WebLogic implements the OpaqueReference interface for a remote object bound by T3\IIOP. When the object is looked up, the getReferent function of the object is called. Exploiting this, the ForeignOpaqueReference object’s getReferent function initiates a JNDI query during the remote object query, resulting in JNDI injection. Ultimately, this vulnerability could lead to Remote Code Execution (RCE).
Concerningly, a search on the ZoomEye engine reveals numerous instances of Oracle WebLogic Server, with nearly 3 million accessible instances found predominantly in the United States and Japan, among other countries. These instances may be vulnerable to CVE-2023-21839.
PoC Exploit Available for Apache Tomcat Client-side De-sync Vulnerability, CVE-2024-21733
The Apache Software Foundation previously disclosed a vulnerability in the open-source web server Apache Tomcat, tracked as CVE-2024-21733. The vulnerability has resurfaced in discussions due to the recent public release of a PoC exploit.
While the severity of the vulnerability is considered medium (CVSS: 5.3), it carries the potential to expose sensitive information through error messages.
Specifically, the vulnerability involves incomplete POST requests triggering error responses that may contain data from a previous request made by another user. This vulnerability is classified as a client-side de-sync vulnerability through HTTP request smuggling.
Client-side de-sync (CSD) vulnerabilities arise when a web server mishandles the Content-Length of POST requests. An attacker can exploit this to manipulate a victim’s browser to lose synchronization with the website, leading to unauthorized data smuggling between the server and client connections.
Affected Apache Tomcat versions are as follows:
- 8.5.7 through 8.5.63
- 9.0.0-M11 through 9.0.43
Users are advised to upgrade to version 8.5.64 or later, or version 9.0.44 or later, as these versions include a fix for the vulnerability.
We have outlined the latest security threats surrounding FortiSIEM, Oracle WebLogic, and Apache Tomcat. As we conclude this blog post, it is important to remind that, in the journey of cybersecurity, staying current with the latest threat intelligence is as critical as prompt updating of software and components used in our business environments.
Ensure you stay informed about the most recent developments on identified vulnerabilities and hacker trends with SOCRadar’s Vulnerability Intelligence. By using Vulnerability Intelligence, you can access detailed information on identified vulnerabilities – including the latest vulnerabilities affecting FortiSIEM, Oracle WebLogic, and Apache Tomcat – and see whether an exploit is detected for a particular vulnerability.