Login Sign Up

CVE-2021-2269

8.1 HIGH

📋 TL;DR

This vulnerability in Oracle Advanced Pricing allows authenticated attackers with low privileges to manipulate critical pricing data via HTTP requests. It affects Oracle E-Business Suite version 12.1.3, enabling unauthorized data access, creation, modification, or deletion.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Advanced Pricing
Versions: 12.1.3
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle Advanced Pricing component to be installed and accessible via HTTP.

📦 What is this software?

Advanced Pricing by Oracle

View all CVEs affecting Advanced Pricing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Advanced Pricing data including unauthorized access to all pricing information and manipulation of critical business pricing rules.

🟠

Likely Case

Unauthorized modification of pricing data leading to incorrect quotes, invoices, or financial discrepancies.

🟢

If Mitigated

Limited impact with proper network segmentation and strict access controls preventing low-privileged users from reaching vulnerable components.

🌐 Internet-Facing: HIGH - HTTP accessible vulnerability with low attack complexity that can be exploited remotely.
🏢 Internal Only: HIGH - Even internal attackers with low privileges can exploit this to manipulate critical pricing data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires low-privileged authenticated access but is easily exploitable according to Oracle's rating.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for April 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2021.html

Restart Required: Yes

Instructions:

1. Download the April 2021 Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle E-Business Suite patching procedures. 3. Restart affected services. 4. Test functionality in non-production environment first.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle E-Business Suite to only trusted IP addresses and networks.

Use firewall rules to limit access to Oracle E-Business Suite HTTP ports

Privilege Reduction

all

Review and reduce privileges for users who don't require access to Advanced Pricing components.

Review Oracle E-Business Suite user roles and permissions

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle E-Business Suite from untrusted networks
  • Enforce principle of least privilege and regularly audit user access to Advanced Pricing components

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed components. If running version 12.1.3 with Advanced Pricing installed, assume vulnerable.

Check Version:

Check Oracle E-Business Suite version through application administration interface or database queries specific to your installation.

Verify Fix Applied:

Verify patch application through Oracle's patch management tools and confirm version is updated post-April 2021 CPU.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Price Book components
  • Multiple failed authentication attempts followed by successful access
  • Unexpected data modifications in pricing tables

Network Indicators:

  • HTTP traffic to Oracle E-Business Suite from unexpected sources
  • Patterns of requests to Price Book endpoints

SIEM Query:

source="oracle-ebs" AND (uri CONTAINS "/pricebook" OR uri CONTAINS "/advancedpricing") AND (response_code=200 OR response_code=302) AND user_privilege="low"

📊 Metadata

CVE ID: CVE-2021-2269
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON