Login Sign Up

CVE-2021-2255

8.1 HIGH

📋 TL;DR

This vulnerability in Oracle Service Contracts allows authenticated attackers with low privileges to perform unauthorized data manipulation and access sensitive information via HTTP requests. It affects Oracle E-Business Suite versions 12.1.1 through 12.1.3. Attackers can create, delete, or modify critical contract data and access confidential information.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Service Contracts
Versions: 12.1.1 through 12.1.3
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle Service Contracts component to be installed and configured. Affects both internet-facing and internal deployments.

📦 What is this software?

Service Contracts by Oracle

View all CVEs affecting Service Contracts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Service Contracts data including unauthorized modification of critical business contracts and exposure of sensitive contract information, potentially leading to financial fraud or business disruption.

🟠

Likely Case

Unauthorized access to and manipulation of service contract data by authenticated users, potentially resulting in data integrity issues and unauthorized disclosure of contract terms and customer information.

🟢

If Mitigated

Limited impact with proper access controls and network segmentation, though the vulnerability still exists in the application layer.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but with low privileges. Exploitation is straightforward via HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download the April 2021 Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected Oracle E-Business Suite services. 4. Test the application functionality post-patch.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Oracle E-Business Suite to only trusted IP addresses and networks

iptables -A INPUT -p tcp --dport 8000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Principle of Least Privilege

all

Review and minimize user privileges in Oracle E-Business Suite, especially for Service Contracts module

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Oracle E-Business Suite
  • Enable detailed logging and monitoring for unauthorized access attempts to Service Contracts module

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed patches. If running version 12.1.1-12.1.3 without April 2021 CPU, system is vulnerable.

Check Version:

SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS;

Verify Fix Applied:

Verify that April 2021 Critical Patch Update is applied and check patch status in Oracle applications.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Service Contracts endpoints
  • Multiple failed authentication attempts followed by successful access
  • Unexpected data modifications in contract tables

Network Indicators:

  • HTTP traffic to Oracle E-Business Suite from unauthorized sources
  • Unusual patterns of requests to /OA_HTML/* or similar Service Contracts paths

SIEM Query:

source="oracle-ebs" AND (uri_path="/OA_HTML/*" OR module="Service Contracts") AND (status=200 OR status=302) AND user_privilege="LOW"

📊 Metadata

CVE ID: CVE-2021-2255
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON