Login Sign Up

CVE-2021-2235

8.1 HIGH

📋 TL;DR

This vulnerability in Oracle Transportation Execution allows authenticated attackers with low privileges to perform unauthorized data manipulation and access critical information via HTTP. It affects Oracle E-Business Suite versions 12.1.1 through 12.1.3. The vulnerability has high confidentiality and integrity impacts with a CVSS score of 8.1.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Oracle Transportation Execution
Versions: 12.1.1 through 12.1.3
Operating Systems: All supported platforms for Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle Transportation Execution component to be installed and configured.

📦 What is this software?

Transportation Execution by Oracle

View all CVEs affecting Transportation Execution →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Transportation Execution data including unauthorized creation, deletion, modification of critical data, and full access to all accessible data.

🟠

Likely Case

Unauthorized data manipulation and access to sensitive transportation execution information by authenticated users.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access controls, and monitoring are implemented.

🌐 Internet-Facing: HIGH - Network accessible via HTTP with low attack complexity and authentication requirements.
🏢 Internal Only: HIGH - Even internal attackers with low privileges can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires low privileged authenticated access via HTTP. Oracle describes as 'easily exploitable'.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected services. 4. Test functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle Transportation Execution to only trusted sources

Use firewall rules to limit access to specific IP ranges

Privilege Reduction

all

Review and reduce privileges for users accessing Oracle Transportation Execution

Review user roles and permissions in Oracle E-Business Suite

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Oracle Transportation Execution
  • Enforce least privilege access controls and monitor all access to the affected component

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed components. If running Oracle Transportation Execution version 12.1.1-12.1.3, the system is vulnerable.

Check Version:

Check Oracle E-Business Suite version through Oracle application administration tools or database queries specific to your installation.

Verify Fix Applied:

Verify patch application through Oracle patch management tools and confirm version is updated beyond affected range.

📡 Detection & Monitoring

Log Indicators:

  • Unusual data manipulation activities in Oracle Transportation Execution logs
  • Unauthorized access attempts to sensitive data

Network Indicators:

  • HTTP requests to Oracle Transportation Execution endpoints from unauthorized sources
  • Unusual data transfer patterns

SIEM Query:

source="oracle-ebs" AND (component="transportation-execution" OR module="install-upgrade") AND (action="modify" OR action="delete" OR action="create") AND user_privilege="low"

📊 Metadata

CVE ID: CVE-2021-2235
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON