CVE-2021-35582 in Applications Managerinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: View Reports). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Manager accessible data as well as unauthorized read access to a subset of Oracle Applications Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Manager. CVSS 3.1 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/24/2021

The vulnerability identified as CVE-2021-35582 affects Oracle Applications Manager within the Oracle E-Business Suite, specifically within the View Reports component. This security flaw exists in Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.10, representing a significant risk to organizations utilizing these legacy systems. The vulnerability operates at the application layer and can be exploited through HTTP network connections, making it accessible to attackers who can establish network communication with the target system. The security implications extend beyond the immediate component, as successful exploitation can impact additional Oracle products within the suite, creating cascading effects throughout the enterprise environment.

The technical nature of this vulnerability stems from insufficient authorization controls within the View Reports functionality of Oracle Applications Manager. Attackers with low privileges can leverage this weakness to perform unauthorized operations including data modification, insertion, and deletion within the affected system. The vulnerability requires human interaction from users other than the attacker, indicating that social engineering or user manipulation may be necessary to achieve successful exploitation. This characteristic places additional emphasis on user awareness and training programs as part of the overall security posture. The vulnerability's classification as easily exploitable means that attackers with minimal technical expertise can potentially compromise the system, while the CVSS 3.1 score of 6.5 indicates a moderate to high severity threat level.

The operational impact of this vulnerability extends across multiple security domains including confidentiality, integrity, and availability. Attackers can gain unauthorized read access to sensitive data subsets within Oracle Applications Manager, potentially exposing confidential business information. The ability to perform unauthorized updates, inserts, and deletes creates significant data integrity risks, allowing malicious actors to corrupt or manipulate critical business data. Additionally, the vulnerability can result in partial denial of service conditions, disrupting normal business operations and potentially affecting multiple users within the organization. The CVSS vector analysis reveals that the attack requires low network access complexity and low privileges, while user interaction is required, suggesting that this vulnerability could be exploited through targeted social engineering campaigns or by leveraging compromised user accounts.

Organizations should implement immediate mitigations including applying the relevant Oracle security patches and updates as provided in Oracle's Critical Patch Updates. Network segmentation and access controls should be enhanced to limit unnecessary HTTP access to Oracle Applications Manager components. Regular security monitoring and audit logging should be implemented to detect unauthorized access attempts or suspicious activities within the Oracle E-Business Suite environment. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a significant concern for organizations operating legacy Oracle systems, as it demonstrates how outdated components can remain vulnerable to exploitation even when the broader enterprise security posture is considered adequate. This vulnerability also maps to ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) as attackers may need to leverage legitimate user credentials or manipulate users into performing actions that facilitate exploitation.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.00487

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!