Description
Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent) is vulnerable to a Java Object Deserialization remote code execution vulnerability. An attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform a denial of service attack.
Remediation
Upgrade to the latest version of Oracle Access Manager
References
Oracle Critical Patch Update Advisory - January 2022
Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis)
Related Vulnerabilities
Moveable Type 4.x unauthenticated remote command execution
WordPress Plugin Five Star Restaurant Menu-WordPress Ordering Remote Code Execution (2.2.0)
Spring Data REST RCE via PATCH requests
Python object deserialization of user-supplied data
OpenCms Chemistry XML External Entity (XXE) vulnerability (CVE-2023-42344)