CVE-2021-2106

8.2 HIGH

📋 TL;DR

This vulnerability in Oracle Customer Interaction History allows unauthenticated attackers to access and modify sensitive data via HTTP. It affects Oracle E-Business Suite versions 12.1.1-12.1.3 and 12.2.3-12.2.10, requiring human interaction from someone other than the attacker to exploit.

💻 Affected Systems

Products:

• Oracle E-Business Suite - Customer Interaction History

Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10

Operating Systems: Any OS running Oracle E-Business Suite

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the Outcome-Result component. Requires network access via HTTP and human interaction from a non-attacker to exploit.

📦 What is this software?

Customer Interaction History by Oracle

View all CVEs affecting Customer Interaction History →

Customer Interaction History by Oracle

View all CVEs affecting Customer Interaction History →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Customer Interaction History data including unauthorized access to critical information and ability to modify or delete data, potentially impacting other connected systems.

🟠

Likely Case

Unauthorized access to sensitive customer interaction data and partial ability to modify records, leading to data breaches and integrity issues.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though vulnerability remains present in the application.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS indicates easily exploitable (AC:L) with no privileges required (PR:N) but requires user interaction (UI:R).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for January 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle E-Business Suite instances. 3. Restart application services. 4. Test functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Oracle Customer Interaction History to trusted IPs only

Web Application Firewall

all

Deploy WAF with rules to detect and block exploitation attempts

🧯 If You Can't Patch

• Implement strict network access controls to limit exposure
• Monitor for suspicious activity and implement compensating controls

🔍 How to Verify

Check if Vulnerable:

Copy

Check Oracle E-Business Suite version and compare against affected versions. Review patch history for January 2021 Critical Patch Update.

Check Version:

Copy

Check Oracle E-Business Suite version through application administration interface or database queries specific to your deployment.

Verify Fix Applied:

Copy

Verify Critical Patch Update for January 2021 is applied and check version is no longer in vulnerable range.

📡 Detection & Monitoring

Log Indicators:

• Unusual HTTP requests to Outcome-Result endpoints
• Unauthorized access attempts to customer interaction data

Network Indicators:

• HTTP traffic to Oracle Customer Interaction History from unexpected sources
• Patterns matching exploitation attempts

SIEM Query:

Copy

source="oracle-ebs" AND (uri="*Outcome-Result*" OR uri="*customer-interaction*" OR uri="*history*") AND status>=400

📊 Metadata

CVE ID: CVE-2021-2106

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Published: January 20, 2021

Last Updated: November 21, 2024

🔗 References

• https://www.oracle.com/security-alerts/cpujan2021.html Vendor Advisory
• https://www.oracle.com/security-alerts/cpujan2021.html Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON