Login Sign Up

CVE-2021-35570

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Oracle Mobile Field Service allows authenticated attackers with low privileges to perform unauthorized data manipulation and access sensitive information via HTTP requests. It affects Oracle E-Business Suite versions 12.1.1-12.1.3 and 12.2.3-12.2.10. Attackers can create, delete, or modify critical data without proper authorization.

💻 Affected Systems

Products:
  • Oracle Mobile Field Service
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10
Operating Systems: All supported platforms for Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Admin UI component specifically. Requires Oracle E-Business Suite installation with Mobile Field Service enabled.

📦 What is this software?

Mobile Field Service by Oracle

View all CVEs affecting Mobile Field Service →

Mobile Field Service by Oracle

View all CVEs affecting Mobile Field Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle Mobile Field Service data including unauthorized access to critical business information and unauthorized modification of all accessible data.

🟠

Likely Case

Unauthorized access to sensitive field service data and manipulation of service records, potentially disrupting business operations.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access controls, and monitoring are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but with low privileges. CVSS indicates 'easily exploitable' via network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update October 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected services. 4. Test functionality before deploying to production.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Oracle Mobile Field Service to only trusted IP addresses and networks.

Privilege Reduction

all

Review and minimize user privileges to only necessary functions within the Mobile Field Service application.

🧯 If You Can't Patch

  • Implement strict network access controls and firewall rules to limit HTTP access to the Mobile Field Service interface.
  • Enable detailed logging and monitoring for unauthorized access attempts and data modification activities.

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and Mobile Field Service component version against affected ranges.

Check Version:

Check Oracle application version through Oracle application administration tools or database queries specific to your installation.

Verify Fix Applied:

Verify that the October 2021 Critical Patch Update or later has been applied successfully.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Admin UI endpoints
  • Multiple failed authentication attempts followed by successful low-privilege access
  • Unexpected data modification events in audit logs

Network Indicators:

  • HTTP traffic to Mobile Field Service Admin UI from unexpected sources
  • Patterns of data access/modification requests from low-privilege accounts

SIEM Query:

source="oracle-ebs" AND (event_type="data_modification" OR event_type="unauthorized_access") AND user_privilege="low" AND component="mobile_field_service"

📊 Metadata

CVE ID: CVE-2021-35570
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON