Login Sign Up

CVE-2021-2084

8.2 HIGH

📋 TL;DR

An unauthenticated attacker can exploit this vulnerability in Oracle CRM Technical Foundation via HTTP to gain unauthorized access to critical data or modify data. The vulnerability requires human interaction from someone other than the attacker and affects Oracle E-Business Suite versions 12.1.3 and 12.2.3-12.2.10.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - CRM Technical Foundation
Versions: 12.1.3 and 12.2.3 through 12.2.10
Operating Systems: All platforms running affected Oracle E-Business Suite versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires human interaction from a user other than the attacker, but exploitation is unauthenticated via HTTP.

📦 What is this software?

Crm Technical Foundation by Oracle

View all CVEs affecting Crm Technical Foundation →

Crm Technical Foundation by Oracle

View all CVEs affecting Crm Technical Foundation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle CRM Technical Foundation accessible data, including unauthorized access to critical information and unauthorized data modification across connected systems.

🟠

Likely Case

Unauthorized access to sensitive CRM data and potential data manipulation, leading to business disruption and data integrity issues.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially preventing exploitation or containing damage.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Vulnerability is described as 'easily exploitable' by Oracle, but specific exploit details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update Advisory - January 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected Oracle E-Business Suite services. 4. Verify the patch application through version checks.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Oracle CRM Technical Foundation components to trusted internal networks only.

Access Control Lists

all

Implement strict firewall rules to limit HTTP access to Oracle E-Business Suite from untrusted sources.

🧯 If You Can't Patch

  • Isolate affected systems from internet access and untrusted networks
  • Implement additional authentication layers and monitor for suspicious access patterns

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version against affected versions (12.1.3 or 12.2.3-12.2.10) and verify if CRM Technical Foundation component is installed.

Check Version:

Check Oracle application version through Oracle application administration tools or database queries specific to your E-Business Suite implementation.

Verify Fix Applied:

Verify patch application through Oracle's patch management tools and confirm version is no longer in vulnerable range.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to CRM Technical Foundation endpoints
  • Unauthorized access attempts to preferences-related functions

Network Indicators:

  • Unexpected HTTP traffic patterns to Oracle E-Business Suite from untrusted sources

SIEM Query:

source="oracle-ebs" AND (uri CONTAINS "preferences" OR component="CRM Technical Foundation") AND status>=400

📊 Metadata

CVE ID: CVE-2021-2084
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON