CVE-2021-35611 in Sales Offline
Summary
by MITRE • 10/20/2021
Vulnerability in the Oracle Sales Offline product of Oracle E-Business Suite (component: Offline Template). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Sales Offline. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Sales Offline. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/24/2021
The vulnerability identified as CVE-2021-35611 resides within Oracle Sales Offline component of the Oracle E-Business Suite ecosystem, specifically affecting offline template functionality. This issue manifests in versions 12.1.1 through 12.1.3 and 12.2.3 through 12.2.10, representing a significant attack surface for organizations utilizing these legacy systems. The vulnerability classification as easily exploitable indicates that attackers require minimal privileges and can leverage network-based HTTP access to initiate exploitation, making it particularly concerning for enterprise environments where network exposure is common.
The technical flaw within the offline template processing mechanism allows an authenticated attacker with low privileges to manipulate the system's availability characteristics. This represents a partial denial of service condition where the attacker can disrupt normal operations of the Oracle Sales Offline functionality without achieving complete system compromise. The CVSS 3.1 scoring of 4.3 reflects the availability impact severity, with the vector indicating network accessibility, low attack complexity, and low privilege requirements. The vulnerability does not permit information disclosure or modification capabilities, focusing specifically on availability disruption rather than data integrity or confidentiality breaches.
From an operational perspective, this vulnerability presents substantial risk to sales operations that depend on offline functionality, particularly in environments where mobile sales representatives rely on cached data and offline processing capabilities. The partial denial of service impact can severely disrupt sales workflows, customer interactions, and business continuity for organizations using Oracle E-Business Suite. Attackers can potentially cause significant operational disruption by targeting the offline template processing, affecting sales team productivity and revenue generation. The vulnerability's impact extends beyond immediate operational concerns to potential business disruption and customer service degradation.
Organizations should implement immediate mitigations including applying Oracle's security patches and updates to affected versions, implementing network segmentation to limit access to the vulnerable component, and monitoring network traffic for suspicious HTTP requests targeting the offline template functionality. Access controls should be enhanced to restrict HTTP access to authorized personnel only, and network firewalls should be configured to limit exposure to internal networks. The vulnerability aligns with CWE-284 (Improper Access Control) and may map to ATT&CK techniques related to privilege escalation and denial of service operations. Regular security assessments should be conducted to identify similar vulnerabilities in other components of the Oracle E-Business Suite, and organizations should consider migrating to supported versions that address these security concerns through proper vulnerability management processes.