Login Sign Up

CVE-2021-35543

8.1 HIGH

📋 TL;DR

This vulnerability in Oracle PeopleSoft Enterprise CC Common Application Objects allows authenticated attackers with low privileges to perform unauthorized data manipulation and access critical information via HTTP. It affects PeopleSoft Enterprise CC Common Application Objects version 9.2, potentially compromising sensitive organizational data.

💻 Affected Systems

Products:
  • Oracle PeopleSoft Enterprise CC Common Application Objects
Versions: 9.2
Operating Systems: Not OS-specific - affects PeopleSoft application
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Activity Guide Composer component specifically. Requires PeopleSoft Enterprise CC Common Application Objects installation.

📦 What is this software?

Peoplesoft Enterprise Cost Center Common Application Objects by Oracle

View all CVEs affecting Peoplesoft Enterprise Cost Center Common Application Objects →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all PeopleSoft Enterprise CC Common Application Objects data, including unauthorized creation, deletion, modification, and full access to critical business information.

🟠

Likely Case

Unauthorized access to sensitive PeopleSoft data and potential data manipulation by authenticated users with low privileges.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are implemented to detect and prevent exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability is network-accessible via HTTP and can be exploited remotely by authenticated users.
🏢 Internal Only: HIGH - Even internal attackers with low privileges can exploit this vulnerability to access and manipulate critical data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Oracle describes it as 'easily exploitable' and requires only low privileged network access via HTTP. No authentication bypass required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update October 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the October 2021 Critical Patch Update for PeopleSoft. 3. Restart affected PeopleSoft services. 4. Test functionality after patching.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to PeopleSoft systems to only trusted IP addresses and networks

Privilege Reduction

all

Review and minimize user privileges in PeopleSoft, especially for the Activity Guide Composer component

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to PeopleSoft systems
  • Enhance monitoring and logging for suspicious activity in PeopleSoft logs and network traffic

🔍 How to Verify

Check if Vulnerable:

Check PeopleSoft version and verify if October 2021 Critical Patch Update has been applied

Check Version:

Check PeopleSoft version through PeopleTools or application administration console

Verify Fix Applied:

Verify patch installation through PeopleSoft patch management tools and confirm version is updated

📡 Detection & Monitoring

Log Indicators:

  • Unusual activity in Activity Guide Composer logs
  • Multiple failed or suspicious access attempts to PeopleSoft components
  • Unauthorized data modification events

Network Indicators:

  • Unusual HTTP traffic patterns to PeopleSoft Activity Guide Composer endpoints
  • Multiple requests from single low-privilege accounts

SIEM Query:

source="peoplesoft" AND (component="Activity Guide Composer" OR action="modify" OR action="delete") AND user_privilege="low"

📊 Metadata

CVE ID: CVE-2021-35543
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON