Exploitable Vulnerability in Oracle Access Manager by Oracle
CVE-2021-35587

9.8CRITICAL

Key Information:

Vendor
Oracle
Status
Access Manager
Vendor
CVE Published:
19 January 2022

Badges

📈 Score: 598👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%🦅 CISA Reported

What is CVE-2021-35587?

CVE-2021-35587 is a critical vulnerability affecting the Oracle Access Manager component of Oracle Fusion Middleware. This product is designed to provide secure access management, enabling organizations to manage user authentication and authorization seamlessly. The vulnerability allows unauthenticated attackers with network access to compromise the Oracle Access Manager, leading to potential complete control over the system. Given its role in safeguarding access points within organizations, exploiting this vulnerability can severely undermine an organization’s security infrastructure.

Technical Details

The vulnerability lies within the OpenSSO Agent of Oracle Access Manager, specifically in versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. It is rated with a CVSS 3.1 Base Score of 9.8, indicating a high level of severity due to its exploitability. Attackers can exploit this weakness without authentication and with minimal effort, making it particularly dangerous for organizations that have not adequately secured their systems against such threats.

Potential Impact of CVE-2021-35587

  1. Complete System Takeover: The vulnerability allows malicious actors to gain unauthorized access to the Oracle Access Manager, effectively taking over the system. This can lead to unauthorized actions within the organization's network and compromise sensitive data.

  2. High Risk to Confidentiality, Integrity, and Availability: The CVSS score reflects that successful exploitation affects not just confidentiality but also the integrity and availability of the system. This triad of risks can result in significant operational disruptions and data loss.

  3. Increased Vulnerability to Future Attacks: Once compromised, the affected Oracle Access Manager may become a launch pad for subsequent attacks within the network, potentially leading to widespread repercussions across interconnected systems and services.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Access Manager 11.1.2.3.0

Access Manager 12.2.1.3.0

Access Manager 12.2.1.4.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-35587
Created by antx-code

References

https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC

EPSS Score

94% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🦅

    CISA Reported

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.