Login Sign Up

CVE-2021-2104

8.2 HIGH

📋 TL;DR

This vulnerability in Oracle Complex Maintenance, Repair, and Overhaul allows unauthenticated attackers to access and modify sensitive data via a dialog box component. It affects Oracle Supply Chain users running versions 11.5.10, 12.1, and 12.2. Successful exploitation requires human interaction but can impact other connected systems.

💻 Affected Systems

Products:
  • Oracle Complex Maintenance, Repair, and Overhaul
Versions: 11.5.10, 12.1, 12.2
Operating Systems: Not OS-specific - affects Oracle application
Default Config Vulnerable: ⚠️ Yes
Notes: Part of Oracle Supply Chain product suite, vulnerability is in the Dialog Box component.

📦 What is this software?

Complex Maintenance Repair And Overhaul by Oracle

View all CVEs affecting Complex Maintenance Repair And Overhaul →

Complex Maintenance Repair And Overhaul by Oracle

View all CVEs affecting Complex Maintenance Repair And Overhaul →

Complex Maintenance Repair And Overhaul by Oracle

View all CVEs affecting Complex Maintenance Repair And Overhaul →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Complex Maintenance, Repair, and Overhaul accessible data including unauthorized access to critical information and ability to modify/delete data.

🟠

Likely Case

Unauthorized access to sensitive supply chain data and potential modification of maintenance/repair records.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthenticated HTTP access.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing instances extremely vulnerable.
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but requires human interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Easily exploitable per Oracle's assessment, but requires human interaction (UI redressing/clickjacking likely).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for January 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update for January 2021 from Oracle Support. 2. Apply patch to affected Oracle Complex Maintenance, Repair, and Overhaul installations. 3. Restart application services. 4. Test functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict HTTP access to Oracle Complex Maintenance, Repair, and Overhaul to trusted networks only

Web Application Firewall Rules

all

Implement WAF rules to block suspicious dialog box interactions

🧯 If You Can't Patch

  • Isolate Oracle Complex Maintenance, Repair, and Overhaul behind VPN or internal network only
  • Implement strict access controls and monitor for unusual dialog box activity

🔍 How to Verify

Check if Vulnerable:

Check Oracle Complex Maintenance, Repair, and Overhaul version against affected versions (11.5.10, 12.1, 12.2)

Check Version:

Check Oracle application version through administrative interface or Oracle documentation

Verify Fix Applied:

Verify Critical Patch Update for January 2021 is applied and version is no longer vulnerable

📡 Detection & Monitoring

Log Indicators:

  • Unusual dialog box access patterns
  • Unauthenticated HTTP requests to dialog components
  • Multiple failed authentication attempts followed by dialog access

Network Indicators:

  • HTTP traffic to dialog endpoints from unexpected sources
  • Unusual data extraction patterns

SIEM Query:

source="oracle_app" AND (event_type="dialog_access" OR uri="/dialog*") AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2021-2104
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON