CVE-2021-35572 – This vulnerability in Oracle Outside In Technol... (How to Fix)

Q: What is the severity of CVE-2021-35572?

CVE-2021-35572 has a CVSS score of 7.5 (HIGH). This vulnerability in Oracle Outside In Technology allows unauthenticated attackers to cause denial of service by crashing or hanging the software through specially crafted HTTP requests. It affects any software using Oracle Outside In Technology SDK version 8.5.5. Organizations using Oracle Fusion Middleware or other products incorporating this SDK are vulnerable.

📋 TL;DR

This vulnerability in Oracle Outside In Technology allows unauthenticated attackers to cause denial of service by crashing or hanging the software through specially crafted HTTP requests. It affects any software using Oracle Outside In Technology SDK version 8.5.5. Organizations using Oracle Fusion Middleware or other products incorporating this SDK are vulnerable.

💻 Affected Systems

Products:

Oracle Fusion Middleware (Outside In Technology component)
Any third-party software using Oracle Outside In Technology SDK

Versions: 8.5.5

Operating Systems: All platforms supported by Oracle Outside In Technology

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the Outside In Filters component. Impact depends on how the SDK is integrated - software that passes network data directly to Outside In Technology is most vulnerable.

📦 What is this software?

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for any application using Outside In Technology, potentially affecting multiple business systems simultaneously if the SDK is widely deployed.

🟠

Likely Case

Service disruption for specific applications that process untrusted files via Outside In Technology, leading to application crashes and downtime.

🟢

If Mitigated

Limited impact if network access is restricted and input validation prevents malicious payloads from reaching the vulnerable component.

🌐 Internet-Facing: HIGH - Unauthenticated network exploitation via HTTP makes internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems remain vulnerable to insider threats or compromised internal hosts, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Oracle describes this as 'easily exploitable' with unauthenticated network access via HTTP. No public exploit code was found in initial research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update October 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Review Oracle Critical Patch Update Advisory October 2021. 2. Download and apply appropriate patches for your Oracle Fusion Middleware installation. 3. Restart affected services. 4. For third-party software using Outside In SDK, contact respective vendors for updates.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to systems using Outside In Technology to trusted sources only

Use firewall rules to limit HTTP access to affected systems

Input Validation

all

Implement strict input validation before passing data to Outside In Technology components

🧯 If You Can't Patch

Implement network controls to restrict access to affected systems from untrusted networks
Monitor systems for crash/hang events and implement rapid response procedures

🔍 How to Verify

Check if Vulnerable:

Check Oracle Fusion Middleware version and Outside In Technology component version. For third-party software, consult vendor documentation.

Check Version:

For Oracle products: opatch lsinventory | grep -i 'outside'

Verify Fix Applied:

Verify patch installation via Oracle OPatch utility or check version numbers against patched versions in Oracle advisory

📡 Detection & Monitoring

Log Indicators:

Application crashes or hangs related to Outside In Technology
Error logs mentioning Outside In Filters component failures
Unusual HTTP requests to services using Outside In

Network Indicators:

HTTP requests causing application crashes
Traffic spikes followed by service unavailability

SIEM Query:

source="*oracle*" AND ("crash" OR "hang" OR "outside in") OR http.status>=500 AND uri.path contains file processing endpoints

📊 Metadata

CVE ID: CVE-2021-35572

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: October 20, 2021

Last Updated: November 21, 2024

🔗 References

https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON