CVE-2021-2079 – This vulnerability in Oracle Configurator allow... (How to Fix)

Q: What is the severity of CVE-2021-2079?

CVE-2021-2079 has a CVSS score of 8.2 (HIGH). This vulnerability in Oracle Configurator allows unauthenticated attackers to access sensitive data and modify information via HTTP requests. It affects Oracle Supply Chain Configurator versions 12.1 and 12.2, requiring user interaction for successful exploitation but potentially impacting other connected systems.

📋 TL;DR

This vulnerability in Oracle Configurator allows unauthenticated attackers to access sensitive data and modify information via HTTP requests. It affects Oracle Supply Chain Configurator versions 12.1 and 12.2, requiring user interaction for successful exploitation but potentially impacting other connected systems.

💻 Affected Systems

Products:

Oracle Configurator

Versions: 12.1 and 12.2

Operating Systems: Not specified - likely platform independent

Default Config Vulnerable: ⚠️ Yes

Notes: Part of Oracle Supply Chain suite, requires network access via HTTP and human interaction for exploitation.

📦 What is this software?

Configurator by Oracle

View all CVEs affecting Configurator →

Configurator by Oracle

View all CVEs affecting Configurator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Configurator accessible data including unauthorized viewing of critical information and modification/deletion of data, potentially affecting integrated supply chain systems.

🟠

Likely Case

Unauthorized access to sensitive configuration data and limited data manipulation within the Configurator component.

🟢

If Mitigated

Limited impact with proper network segmentation and user awareness training to prevent interaction with malicious requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Easily exploitable per Oracle's assessment, requires user interaction but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for January 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle Configurator installations. 3. Restart affected services. 4. Test functionality.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Oracle Configurator UI Servlet to trusted sources only

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

Web Application Firewall

all

Implement WAF rules to block suspicious HTTP requests to Configurator endpoints

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for suspicious HTTP requests to Configurator UI endpoints

🔍 How to Verify

Check if Vulnerable:

Check Oracle Configurator version against affected versions 12.1 or 12.2

Check Version:

Check Oracle Configurator version through application interface or configuration files

Verify Fix Applied:

Verify Critical Patch Update January 2021 is applied and version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to Configurator UI Servlet endpoints
Unauthorized access attempts from unexpected IP addresses

Network Indicators:

HTTP traffic to Configurator ports from untrusted sources
Suspicious request patterns to /ui/servlet/* endpoints

SIEM Query:

source="oracle_configurator" AND (http_method="POST" OR http_method="GET") AND uri="/ui/servlet/*" AND src_ip NOT IN [TRUSTED_NETWORKS]

📊 Metadata

CVE ID: CVE-2021-2079

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Published: January 20, 2021

Last Updated: November 21, 2024

🔗 References

https://www.oracle.com/security-alerts/cpujan2021.html Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON