Login Sign Up

CVE-2021-2355

9.1 CRITICAL

📋 TL;DR

This vulnerability in Oracle Marketing (part of Oracle E-Business Suite) allows unauthenticated attackers with network access via HTTP to compromise the system. Attackers can create, delete, or modify critical data, or gain unauthorized access to all Oracle Marketing data. Affected versions are 12.1.1-12.1.3 and 12.2.3-12.2.10.

💻 Affected Systems

Products:
  • Oracle Marketing (part of Oracle E-Business Suite)
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10
Operating Systems: Any OS running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Oracle Marketing component specifically; requires Oracle E-Business Suite installation with Marketing component enabled.

📦 What is this software?

Marketing by Oracle

View all CVEs affecting Marketing →

Marketing by Oracle

View all CVEs affecting Marketing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Marketing data including unauthorized access, modification, or deletion of all critical business data, potentially leading to data breach, business disruption, or data manipulation.

🟠

Likely Case

Unauthorized access to sensitive marketing data and potential data manipulation by external attackers scanning for vulnerable Oracle E-Business Suite instances.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication requirements, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates 'easily exploitable' with no authentication required via HTTP, suggesting simple exploitation once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update for July 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's E-Business Suite patching procedures. 3. Restart affected services/components as required.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle Marketing component to only trusted IP addresses/networks

Use firewall rules to limit HTTP access to Oracle E-Business Suite instances

Authentication Enforcement

all

Implement additional authentication layer or Web Application Firewall (WAF) rules

Configure WAF to require authentication for Oracle Marketing endpoints

🧯 If You Can't Patch

  • Isolate Oracle E-Business Suite instances behind network segmentation with strict access controls
  • Implement comprehensive monitoring and alerting for unauthorized access attempts to Oracle Marketing endpoints

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed components against affected versions list

Check Version:

Check Oracle E-Business Suite version through application administration interface or database queries

Verify Fix Applied:

Verify Critical Patch Update has been applied successfully and check version numbers

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to Oracle Marketing endpoints
  • Unusual data modification patterns in marketing data

Network Indicators:

  • HTTP requests to Oracle Marketing endpoints from untrusted sources
  • Unusual traffic patterns to Oracle E-Business Suite

SIEM Query:

source="oracle-ebs" AND (uri CONTAINS "/marketing/" OR uri CONTAINS "marketing_admin") AND (src_ip NOT IN trusted_networks)

📊 Metadata

CVE ID: CVE-2021-2355
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON