CVE-2021-2189 in Sales Offlineinfo

Summary

by MITRE • 04/23/2021

Vulnerability in the Oracle Sales Offline product of Oracle E-Business Suite (component: Template). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Sales Offline. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Sales Offline. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/25/2021

The vulnerability identified as CVE-2021-2189 represents a critical availability threat within Oracle Sales Offline component of the Oracle E-Business Suite ecosystem. This weakness resides specifically within the template processing functionality and affects multiple version ranges including 12.1.1 through 12.1.3 and 12.2.3 through 12.2.10. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in production environments where such systems handle critical business operations.

The technical nature of this flaw manifests through improper input validation within the template processing module, allowing malicious actors to craft specific HTTP requests that trigger buffer overflows or memory corruption conditions. When exploited, these malformed requests cause the Oracle Sales Offline application to enter a state of indefinite hang or experience repeated crashes, effectively rendering the service unavailable to legitimate users. The vulnerability's CVSS score of 7.5 reflects its high impact potential with a base score of 7.5 indicating a high severity threat that can result in complete denial of service conditions without requiring authentication or privileged access.

From an operational perspective, this vulnerability creates significant business continuity risks for organizations relying on Oracle Sales Offline for their sales operations and data management processes. The unauthenticated nature of the attack means that any network-accessible system running the vulnerable software becomes immediately vulnerable to exploitation, potentially affecting sales teams, customer data access, and overall business productivity. The availability impact is particularly severe as it can completely disable the application's ability to process sales transactions, manage templates, or maintain data integrity. Organizations may experience extended downtime while remediation efforts are implemented, potentially leading to revenue loss and customer service disruptions.

The attack surface for this vulnerability aligns with the ATT&CK framework's privilege escalation and denial of service tactics, specifically targeting the application layer where network-based attacks can be executed. This weakness also corresponds to CWE-121, which addresses stack-based buffer overflow conditions, and CWE-122, which covers heap-based buffer overflow scenarios. Organizations should implement immediate mitigations including applying Oracle's security patches, implementing network segmentation to limit access to affected systems, and deploying intrusion detection systems to monitor for exploitation attempts. Additionally, network administrators should consider implementing web application firewalls to filter suspicious HTTP requests and establish monitoring protocols to detect potential denial of service conditions. The vulnerability's scope requires comprehensive assessment of all Oracle E-Business Suite installations to identify and remediate affected systems before attackers can exploit this weakness.

Responsible

Oracle

Reservation

12/09/2020

Disclosure

04/23/2021

Moderation

accepted

CPE

ready

EPSS

0.14700

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!