Login Sign Up

CVE-2021-2205

9.1 CRITICAL

📋 TL;DR

This vulnerability allows unauthenticated attackers to remotely compromise Oracle Marketing via HTTP, enabling unauthorized access to critical data and modification of all accessible data. It affects Oracle E-Business Suite Marketing component versions 12.2.7 through 12.2.10. Organizations running these versions without proper network controls are at significant risk.

💻 Affected Systems

Products:
  • Oracle E-Business Suite Marketing
Versions: 12.2.7-12.2.10
Operating Systems: All supported platforms for Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Marketing Administration component specifically. Requires network access via HTTP to the Oracle Marketing application.

📦 What is this software?

Marketing by Oracle

View all CVEs affecting Marketing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Marketing data including unauthorized access to all sensitive information and ability to create, modify, or delete any data within the system.

🟠

Likely Case

Unauthorized data access and manipulation leading to data breaches, data integrity issues, and potential compliance violations.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthenticated external access to the vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates low attack complexity and no authentication required, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's E-Business Suite patching procedures. 3. Restart affected services. 4. Test functionality post-patch.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Oracle Marketing component to only trusted internal networks

firewall rules to block external HTTP access to Oracle Marketing ports

Web Application Firewall

all

Deploy WAF with rules to detect and block exploitation attempts

Configure WAF to monitor Oracle Marketing endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit HTTP access to Oracle Marketing only from authorized internal IP addresses
  • Monitor network traffic and application logs for unusual access patterns to Oracle Marketing endpoints

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed patches. Vulnerable if running Marketing component versions 12.2.7-12.2.10 without April 2021 CPU.

Check Version:

SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS; and check Marketing component version

Verify Fix Applied:

Verify patch installation via Oracle OPatch utility and confirm version is updated beyond vulnerable range.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Marketing Administration endpoints
  • Unauthorized access attempts from unexpected IP addresses
  • Data modification events without proper authentication

Network Indicators:

  • HTTP traffic to Oracle Marketing ports from external/untrusted sources
  • Unusual request patterns to marketing administration URLs

SIEM Query:

source="oracle-ebs-logs" AND (uri_path="/OA_HTML/*Marketing*" OR module="Marketing") AND (src_ip NOT IN trusted_networks)

📊 Metadata

CVE ID: CVE-2021-2205
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON