Login Sign Up

CVE-2021-2077

8.2 HIGH

📋 TL;DR

This vulnerability in Oracle iStore allows unauthenticated attackers to access sensitive data and modify information via HTTP. It affects Oracle E-Business Suite versions 12.1.1-12.1.3 and 12.2.3-12.2.10. Successful exploitation requires human interaction from someone other than the attacker.

💻 Affected Systems

Products:
  • Oracle E-Business Suite iStore
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Requires HTTP access to Oracle iStore component; affects both on-premise and cloud deployments of affected versions.

📦 What is this software?

Istore by Oracle

View all CVEs affecting Istore →

Istore by Oracle

View all CVEs affecting Istore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unauthorized access to all Oracle iStore data, including critical business information, with ability to modify or delete data across connected systems.

🟠

Likely Case

Unauthorized access to sensitive customer and business data stored in iStore, with potential data manipulation in shopping cart functionality.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires human interaction (social engineering or user interaction), making it easier to exploit but requiring some user action.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for January 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected Oracle E-Business Suite services. 4. Test functionality after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Oracle iStore to only trusted sources

Web Application Firewall Rules

all

Implement WAF rules to block suspicious HTTP requests to iStore endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit HTTP access to Oracle iStore
  • Enable detailed logging and monitoring for suspicious iStore access patterns

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and compare against affected versions 12.1.1-12.1.3 or 12.2.3-12.2.10

Check Version:

Check Oracle E-Business Suite version through application interface or database queries specific to your deployment

Verify Fix Applied:

Verify that January 2021 Critical Patch Update or later has been applied successfully

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to iStore endpoints from unauthenticated sources
  • Multiple failed authentication attempts followed by successful access

Network Indicators:

  • HTTP traffic to iStore from unexpected IP ranges
  • Unusual data extraction patterns from iStore databases

SIEM Query:

source="oracle-ebs" AND (uri CONTAINS "/iStore/" OR uri CONTAINS "ShoppingCart") AND http_method IN ("POST","GET") AND user_agent="unknown"

📊 Metadata

CVE ID: CVE-2021-2077
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON