CVE-2023-21890
published 2023-01-18CVE-2023-21890: Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.84%
53.2th percentile
Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | communications_converged_application_server | — | — |
| oracle | communications_converged_application_server | — | — |
| oracle_corporation | communications_converged_application_server | — | — |
| oracle_corporation | communications_converged_application_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-21890 is exploitable over UDP — monitor for unexpected/malformed UDP traffic targeting Oracle Communications Converged Application Server (OCCAS) on its listening UDP ports ↗
- →No authentication is required to exploit this vulnerability; any unauthenticated UDP connection attempt to OCCAS Core should be treated as suspicious ↗
- →Successful exploitation results in full server takeover (C/I/A all HIGH); alert on unexpected process spawning or privilege escalation from the OCCAS process ↗
- ·Only versions 7.1.0 and 8.0.0 of Oracle Communications Converged Application Server are confirmed affected; detections should be scoped to hosts running these specific versions ↗
- ·The vulnerable component is specifically the 'Core' component of Oracle Communications Converged Application Server; focus detection on that component's network exposure ↗
- ·The attack vector is Network with no privileges or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), meaning internet-exposed instances are at critical risk with no mitigating complexity ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r23h-h8pw-fc6p: Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core)
ghsa_unreviewed·2023-01-18
CVE-2023-21890 [CRITICAL] CWE-94 GHSA-r23h-h8pw-fc6p: Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core)
Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Oracle
Oracle Oracle Communications Risk Matrix: Core — CVE-2023-21890
vendor_oracle·2023-01-15·CVSS 9.8
CVE-2023-21890 [CRITICAL] Oracle Oracle Communications Risk Matrix: Core — CVE-2023-21890
Oracle Oracle Communications Risk Matrix: Core vulnerability
CVE: CVE-2023-21890
CVSS: 9.8
Protocol: UDP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-01-18
Published