The UK’s NHS Digital agency published a security advisory to warn organizations of a remote code execution flaw, tracked as CVE-2022-24295, impacting the Windows client for the Okta Advanced Server Access authentication management platform.
Okta Advanced Server Access provides Zero Trust identity and access management for cloud and on-premises infrastructure, it is used by thousands of compainies worldwide.
The vulnerability affects Okta Advanced Server Access Client for Windows prior to version 1.57.0.
The vulnerability is a remote code execution issue, remote attackers can trigger the vulnerability to perform command injection via a specially crafted URL.
“Okta has released a security update to address a remote code execution (RCE) vulnerability. A remote, unauthenticated attacker could exploit this command injection vulnerability by sending a specially crafted URL and take control of an affected system.” reads the advisory published by the company.
The successful exploitation of the vulnerability can lead to complete takeover of the vulnerable system.
The agency urges organizations to install security patches to address the vulnerability.
The vendor did not provide technical details about the issue to avoid its malicious exploitation in the wild. Customers have to apply the update urgently due to the absence of mitigations or workarounds.
The NHS Digital’s advisory also states that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228.
“In addition to the main vulnerability mentioned in this cyber alert, please note that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. Further information can be found on Okta Security Advisories page and the blog post Okta’s response to CVE-2021-44228 (“Log4Shell”).” continues the advisory.
“NHS and social care organisations are invited visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989 and to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected products.”
(SecurityAffairs – hacking, NHS Digital)