Login Sign Up

CVE-2021-2200

9.1 CRITICAL

📋 TL;DR

This vulnerability in Oracle Applications Framework allows unauthenticated attackers to remotely compromise Oracle E-Business Suite via HTTP. Attackers can create, delete, or modify critical data, and access all framework-accessible data. Only version 12.2.10 of Oracle E-Business Suite is affected.

💻 Affected Systems

Products:
  • Oracle E-Business Suite
Versions: 12.2.10
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Oracle Applications Framework component within Oracle E-Business Suite. Requires HTTP access to the vulnerable component.

📦 What is this software?

Applications Framework by Oracle

View all CVEs affecting Applications Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Applications Framework data including unauthorized access to all critical business data and ability to modify or delete any data within the system.

🟠

Likely Case

Data exfiltration and unauthorized modification of business-critical information in Oracle E-Business Suite applications.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthenticated HTTP access to the vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes this as 'easily exploitable' with no authentication required via HTTP. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected Oracle E-Business Suite services. 4. Verify the patch was applied successfully.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle Applications Framework to only trusted IP addresses and networks

Use firewall rules to limit access to Oracle E-Business Suite HTTP ports (typically 8000, 443)

Application Firewall Rules

all

Implement web application firewall rules to block suspicious HTTP requests to the Home page component

Configure WAF to monitor and block anomalous requests to /OA_HTML/* and related paths

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle E-Business Suite from untrusted networks
  • Enable enhanced logging and monitoring for unauthorized access attempts to Oracle Applications Framework

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and patch level. If running version 12.2.10 without April 2021 CPU patches, the system is vulnerable.

Check Version:

Check Oracle E-Business Suite version via Oracle applications manager or database queries specific to your installation

Verify Fix Applied:

Verify that the April 2021 Critical Patch Update has been applied successfully using Oracle's patch verification tools.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Oracle Applications Framework Home page
  • Unauthorized data access or modification attempts
  • Multiple failed authentication attempts followed by successful unauthorized access

Network Indicators:

  • Unusual HTTP traffic patterns to Oracle E-Business Suite from unexpected sources
  • Data exfiltration patterns from Oracle databases

SIEM Query:

source="oracle-ebs" AND (http_request LIKE "%OA_HTML%" OR http_request LIKE "%/oracle/apps/fnd%") AND (response_code=200 OR response_code=302) FROM external_ips

📊 Metadata

CVE ID: CVE-2021-2200
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON