Login Sign Up

CVE-2021-2190

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Oracle Sales Offline allows unauthenticated attackers to cause a denial of service (DoS) by crashing or hanging the application via HTTP requests. It affects Oracle E-Business Suite versions 12.1.1-12.1.3 and 12.2.3-12.2.10. The attack requires no authentication and has low complexity.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Oracle Sales Offline
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10
Operating Systems: All supported platforms for Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Template component within Oracle Sales Offline. Requires Oracle Sales Offline to be installed and accessible.

📦 What is this software?

Sales Offline by Oracle

View all CVEs affecting Sales Offline →

Sales Offline by Oracle

View all CVEs affecting Sales Offline →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of Oracle Sales Offline component, disrupting sales operations for affected organizations.

🟠

Likely Case

Intermittent service disruptions or application crashes affecting sales teams using the offline functionality.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls prevent unauthenticated HTTP access.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing instances extremely vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates easily exploitable with no authentication required. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected Oracle E-Business Suite services. 4. Test the Oracle Sales Offline functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle Sales Offline component to only trusted IP addresses or internal networks.

Use firewall rules to limit access to Oracle E-Business Suite HTTP ports

Disable Oracle Sales Offline

all

Temporarily disable Oracle Sales Offline if not required for business operations.

Follow Oracle documentation to disable Oracle Sales Offline component

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle Sales Offline from untrusted networks
  • Deploy web application firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and verify if Oracle Sales Offline is installed and accessible via HTTP.

Check Version:

Check Oracle E-Business Suite version via Oracle applications manager or database queries specific to your installation.

Verify Fix Applied:

Verify that the April 2021 Critical Patch Update has been applied and test Oracle Sales Offline functionality.

📡 Detection & Monitoring

Log Indicators:

  • Multiple HTTP requests to Oracle Sales Offline endpoints followed by service crashes
  • Application error logs showing Template component failures

Network Indicators:

  • Unusual HTTP traffic patterns to Oracle Sales Offline endpoints from unauthenticated sources

SIEM Query:

source="oracle-ebs" AND (event="crash" OR event="hang") AND component="Sales Offline"

📊 Metadata

CVE ID: CVE-2021-2190
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON