Wiz
Vulnerability DatabaseCVE-2022-35587

CVE-2022-35587
PHP vulnerability analysis and mitigation

Overview

CVE-2021-35587 is a critical vulnerability in Oracle Access Manager (OAM), a component of Oracle Fusion Middleware. The vulnerability affects OAM versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. It was initially disclosed in January 2022 as part of Oracle's Critical Patch Update. The vulnerability carries a CVSS score of 9.8, indicating its critical severity (Oracle CPE, NIST NVD).

Technical details

The vulnerability allows an unauthenticated attacker with network access via HTTP to completely compromise Oracle Access Manager instances. It specifically affects the OpenSSO Agent component and enables remote command execution without requiring authentication. The vulnerability has been assigned a CVSS Base Score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NIST NVD).

Impact

Successful exploitation of CVE-2021-35587 can result in complete takeover of Oracle Access Manager instances. Given that OAM is an enterprise-level security application providing web-perimeter security functions and web single sign-on services, compromise could have severe consequences for affected organizations. The vulnerability potentially allows attackers to create users with any privileges or execute arbitrary code on the victim's server (Hacker News).

Mitigation and workarounds

Oracle released patches for this vulnerability in their January 2022 Critical Patch Update. Organizations are strongly advised to apply these security updates immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog and requires federal agencies to apply vendor patches by December 19, 2022 (Hacker News).

Community reactions

The vulnerability has gained significant attention from the cybersecurity community, particularly after CISA added it to their KEV Catalog on November 28, 2022, due to evidence of active exploitation. Security researchers and threat intelligence firms have been actively monitoring and reporting on exploitation attempts in the wild (Censys).

Additional resources

SourceThis report was generated using AI

Related PHP vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65346CRITICAL9.1
  • PHPPHP
  • alexusmai/laravel-file-manager
NoNoDec 04, 2025
CVE-2025-66468HIGH7.6
  • PHPPHP
  • aimeos/ai-cms-grapesjs
NoYesDec 02, 2025
CVE-2025-65345MEDIUM6.5
  • PHPPHP
  • alexusmai/laravel-file-manager
NoNoDec 03, 2025
CVE-2025-65657MEDIUM6.5
  • PHPPHP
  • feehi/cms
NoNoDec 02, 2025
CVE-2025-65186MEDIUM6.1
  • PHPPHP
  • getgrav/grav
NoNoDec 02, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo