Cyber Resilience

CVE-2021-35587

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 19 January 2022

Published
19 January 2022
Modified
27 October 2025
KEV Added
28 November 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9427 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-35587 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Access Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

The vulnerability affects the OpenSSO Agent component of Oracle Access Manager in Oracle Fusion Middleware versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. It is an easily exploitable flaw that permits unauthenticated remote compromise over HTTP, with a CVSS 3.1 base score of 9.8 reflecting complete loss of confidentiality, integrity, and availability. The associated CWEs reference missing authentication for critical functionality.

An unauthenticated attacker with network access via HTTP can exploit the issue to fully take over the Oracle Access Manager instance without requiring user interaction or elevated privileges.

The January 2022 Oracle Critical Patch Update addresses the flaw, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities, indicating active in-the-wild exploitation.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.…

more

Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
28 November 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
access manager
11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and access policy on the OpenSSO Agent, blocking the unauthenticated HTTP requests that enable full compromise.

prevent

Requires unique identification and authentication of users before granting access to Oracle Access Manager, eliminating the missing-authentication flaw.

AC-17 Remote Access partial match
prevent

Mandates authentication and usage restrictions for all network-accessible interfaces (HTTP), limiting the remote unauthenticated attack path.

References