cbcvebase.
CVE-2010-3585
published 2010-10-14

CVE-2010-3585: Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability…

PriorityP265critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
52.71%
98.8th percentile
Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a third party researcher that this is related to the exposure of unspecified functions using XML-RPC.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclevm

Detection & IOCsextracted from sources · hover to see the quote

port8899
url/RPC2
commandutl_test_url
commandsleep 3
  • Monitor for XML-RPC POST requests to /RPC2 on TCP port 8899 (ovs-agent) containing the 'utl_test_url' methodCall with shell meta-characters in the second parameter, indicating command injection attempts.
  • Detect HTTP Basic Auth attempts to the ovs-agent service using the hardcoded username 'oracle' on port 8899 over SSL; any successful authentication followed by an XML-RPC call to utl_test_url should be treated as suspicious.
  • A time-based detection heuristic can be used: if a 'sleep 3' command injected via utl_test_url causes a 3–4 second delay in the XML-RPC response, the target is confirmed vulnerable.
  • The exploit sends Content-Type 'application/xml' via HTTP POST to /RPC2; alert on this combination targeting port 8899 with a methodCall body referencing 'utl_test_url'.
  • ·SSL is enabled by default in the exploit module; detection infrastructure must be capable of inspecting SSL/TLS traffic on port 8899 to observe the malicious XML-RPC payloads.
  • ·Valid credentials are required to exploit this vulnerability; unauthenticated probes to port 8899 will not trigger the injection. Detection rules should account for authenticated sessions preceding the malicious methodCall.
  • ·The ovs-agent service typically runs with root privileges, meaning successful exploitation yields full system compromise; prioritize alerting accordingly.
  • ·The exploit deliberately disables HTTP junk_params and junk_slashes Metasploit options to ensure reliable delivery; detection signatures should not rely on the presence of those evasion artifacts.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.