Login Sign Up

CVE-2021-2062

7.6 HIGH

📋 TL;DR

This vulnerability in Oracle BI Publisher allows authenticated attackers with low privileges to exploit a flaw via HTTP requests that require user interaction. Successful exploitation can lead to unauthorized access to critical data and modification of Oracle BI Publisher data, affecting versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0.

💻 Affected Systems

Products:
  • Oracle BI Publisher
Versions: 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Operating Systems: All supported platforms for Oracle Fusion Middleware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Oracle Fusion Middleware component Web Server. Requires network access via HTTP and low privileged attacker account.

📦 What is this software?

Business Intelligence Publisher by Oracle

View all CVEs affecting Business Intelligence Publisher →

Business Intelligence Publisher by Oracle

View all CVEs affecting Business Intelligence Publisher →

Business Intelligence Publisher by Oracle

View all CVEs affecting Business Intelligence Publisher →

Business Intelligence Publisher by Oracle

View all CVEs affecting Business Intelligence Publisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle BI Publisher accessible data including unauthorized access to critical information and unauthorized data modification across connected systems.

🟠

Likely Case

Unauthorized access to sensitive business intelligence data and reports, potentially leading to data theft or manipulation of published reports.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and user interaction monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated low-privilege access and user interaction from another person. CVSS indicates easily exploitable with low attack complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for January 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart the Oracle BI Publisher service. 4. Verify the patch was applied successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Oracle BI Publisher to only trusted sources and required users.

Privilege Reduction

all

Implement least privilege principle and review user permissions to minimize attack surface.

🧯 If You Can't Patch

  • Implement strict network access controls and firewall rules to limit HTTP access to Oracle BI Publisher
  • Enhance monitoring and alerting for suspicious user interactions and data access patterns

🔍 How to Verify

Check if Vulnerable:

Check Oracle BI Publisher version via administration console or query the version from the application interface.

Check Version:

Check Oracle BI Publisher version through the application's administration interface or configuration files.

Verify Fix Applied:

Verify the applied patch version matches or exceeds the Critical Patch Update for January 2021.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to BI Publisher endpoints
  • Multiple failed authentication attempts followed by successful low-privilege access
  • Unexpected data access or modification patterns

Network Indicators:

  • HTTP traffic patterns indicating user interaction exploitation
  • Unusual data exfiltration from BI Publisher servers

SIEM Query:

source="oracle_bi_publisher" AND (event_type="data_access" OR event_type="report_modification") AND user_privilege="low" AND success="true"

📊 Metadata

CVE ID: CVE-2021-2062
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON