CVE-2021-35587
Published: 19 January 2022
Summary
CVE-2021-35587 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Access Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
The vulnerability affects the OpenSSO Agent component of Oracle Access Manager in Oracle Fusion Middleware versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. It is an easily exploitable flaw that permits unauthenticated remote compromise over HTTP, with a CVSS 3.1 base score of 9.8 reflecting complete loss of confidentiality, integrity, and availability. The associated CWEs reference missing authentication for critical functionality.
An unauthenticated attacker with network access via HTTP can exploit the issue to fully take over the Oracle Access Manager instance without requiring user interaction or elevated privileges.
The January 2022 Oracle Critical Patch Update addresses the flaw, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities, indicating active in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-22223
Vulnerability details
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.…
more
Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 28 November 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and access policy on the OpenSSO Agent, blocking the unauthenticated HTTP requests that enable full compromise.
Requires unique identification and authentication of users before granting access to Oracle Access Manager, eliminating the missing-authentication flaw.
Mandates authentication and usage restrictions for all network-accessible interfaces (HTTP), limiting the remote unauthenticated attack path.