Login Sign Up

CVE-2021-2253

9.1 CRITICAL

📋 TL;DR

An unauthenticated remote attacker can exploit this vulnerability in Oracle Advanced Supply Chain Planning via HTTP to create, delete, or modify critical data, or access all data without authorization. Organizations using Oracle Advanced Supply Chain Planning versions 12.1 or 12.2 are affected. The vulnerability has a high CVSS score of 9.1 due to its network accessibility and lack of authentication requirements.

💻 Affected Systems

Products:
  • Oracle Advanced Supply Chain Planning
Versions: 12.1 and 12.2
Operating Systems: All platforms running Oracle Advanced Supply Chain Planning
Default Config Vulnerable: ⚠️ Yes
Notes: Component: Core. Part of Oracle Supply Chain product suite.

📦 What is this software?

Advanced Supply Chain Planning by Oracle

View all CVEs affecting Advanced Supply Chain Planning →

Advanced Supply Chain Planning by Oracle

View all CVEs affecting Advanced Supply Chain Planning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Advanced Supply Chain Planning data, including unauthorized access to all sensitive supply chain information and unauthorized modification or deletion of critical planning data.

🟠

Likely Case

Unauthorized data access and manipulation of supply chain planning information, potentially disrupting operations or exposing confidential business data.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthenticated HTTP access to the vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes it as 'easily exploitable' with network access via HTTP and no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update for April 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Review Oracle Critical Patch Update Advisory for April 2021. 2. Download and apply the appropriate patch for your Oracle Advanced Supply Chain Planning version. 3. Restart the application services. 4. Test functionality after patching.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Oracle Advanced Supply Chain Planning to only trusted IP addresses using firewall rules.

iptables -A INPUT -p tcp --dport <oracle_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <oracle_port> -j DROP

Web Application Firewall

all

Deploy a WAF with rules to block suspicious HTTP requests to the vulnerable endpoint.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle Advanced Supply Chain Planning from untrusted networks.
  • Monitor all HTTP traffic to the application for suspicious patterns and unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Check Oracle Advanced Supply Chain Planning version against affected versions 12.1 or 12.2.

Check Version:

SELECT * FROM v$version WHERE banner LIKE '%Advanced Supply Chain Planning%';

Verify Fix Applied:

Verify patch installation by checking version or patch level against Oracle's patched versions in the April 2021 CPU.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated HTTP requests to Oracle Advanced Supply Chain Planning endpoints
  • Unusual data access or modification patterns in application logs

Network Indicators:

  • HTTP traffic from unexpected sources to Oracle Advanced Supply Chain Planning ports
  • Unusual HTTP request patterns to the vulnerable component

SIEM Query:

source="oracle_logs" AND (http_method="POST" OR http_method="GET") AND dest_port=<oracle_port> AND user="anonymous"

📊 Metadata

CVE ID: CVE-2021-2253
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON