CVE-2024-21205: 
Oracle Coherence vulnerability analysis and mitigation

A vulnerability (CVE-2024-21205) was discovered in Oracle Service Bus product of Oracle Fusion Middleware, specifically affecting the OSB Core Functionality component version 12.2.1.4.0. This vulnerability was disclosed in October 2024 and allows low-privileged attackers with network access via HTTP to compromise the Oracle Service Bus (Oracle CPU, NVD).

The vulnerability has been assigned a CVSS 3.1 Base Score of 6.5 (Medium severity) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The scoring indicates that the vulnerability is network-accessible (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires no user interaction (UI:N), has unchanged scope (S:U), and can result in high confidentiality impact (C:H) with no impact on integrity (I:N) or availability (A:N) (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Service Bus accessible data. The impact is primarily focused on confidentiality, with no direct effects on system integrity or availability (NVD).

Oracle has released patches for this vulnerability as part of the October 2024 Critical Patch Update. Organizations running Oracle Service Bus version 12.2.1.4.0 should apply the security patches as soon as possible. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay (Oracle CPU).