Login Sign Up

CVE-2021-2233

8.1 HIGH

📋 TL;DR

This vulnerability in Oracle Enterprise Asset Management allows authenticated attackers with low privileges to perform unauthorized data manipulation and access via HTTP. It affects Oracle E-Business Suite versions 12.1.1-12.1.3 and 12.2.3-12.2.10, potentially compromising critical asset management data.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Enterprise Asset Management
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle Enterprise Asset Management component to be installed and configured

📦 What is this software?

Enterprise Asset Management by Oracle

View all CVEs affecting Enterprise Asset Management →

Enterprise Asset Management by Oracle

View all CVEs affecting Enterprise Asset Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Enterprise Asset Management data including unauthorized creation, modification, deletion of critical data and full data access

🟠

Likely Case

Unauthorized data manipulation and access to sensitive asset management information by authenticated users

🟢

If Mitigated

Limited impact with proper access controls, network segmentation, and monitoring in place

🌐 Internet-Facing: HIGH - Network accessible via HTTP with low privilege requirements
🏢 Internal Only: HIGH - Low privileged internal users can exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Oracle describes as 'easily exploitable' with low privilege requirements via HTTP

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for April 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update for April 2021 from Oracle Support 2. Apply patch to affected Oracle E-Business Suite instances 3. Restart application services 4. Test functionality

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict HTTP access to Oracle E-Business Suite to trusted networks only

Privilege Reduction

all

Review and minimize low privilege user accounts with access to Enterprise Asset Management

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Oracle E-Business Suite
  • Enhance monitoring and logging for suspicious data manipulation activities in Enterprise Asset Management

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and patch level via Oracle application administration tools

Check Version:

Check via Oracle Application Manager or query application version tables in Oracle database

Verify Fix Applied:

Verify Critical Patch Update for April 2021 is applied and check patch status in Oracle application

📡 Detection & Monitoring

Log Indicators:

  • Unusual data modification patterns in Enterprise Asset Management logs
  • Multiple failed access attempts followed by successful data manipulation

Network Indicators:

  • HTTP requests to Enterprise Asset Management endpoints from unexpected sources
  • Unusual data volume transfers

SIEM Query:

source="oracle-ebs" AND (event_type="data_modification" OR event_type="unauthorized_access") AND component="Enterprise Asset Management"

📊 Metadata

CVE ID: CVE-2021-2233
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON