Login Sign Up

CVE-2021-35574

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Oracle Outside In Technology allows unauthenticated attackers to cause denial of service by crashing or hanging the software via network requests. It affects any system using Oracle Fusion Middleware with Outside In Filters version 8.5.5. The impact is limited to availability disruption rather than data compromise.

💻 Affected Systems

Products:
  • Oracle Fusion Middleware with Outside In Filters component
Versions: 8.5.5
Operating Systems: All platforms running affected Oracle software
Default Config Vulnerable: ⚠️ Yes
Notes: Risk depends on how applications use Outside In Technology - highest when processing network-supplied data directly

📦 What is this software?

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for any application using Outside In Technology, rendering affected services unavailable until restart

🟠

Likely Case

Service disruption for applications processing untrusted files via Outside In Technology, requiring manual intervention to restore

🟢

If Mitigated

Minimal impact if proper network segmentation and input validation are implemented

🌐 Internet-Facing: HIGH - Unauthenticated network access allows remote attackers to trigger DoS
🏢 Internal Only: MEDIUM - Internal attackers or malware could still exploit, but requires network access

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes as 'easily exploitable' with no authentication required via HTTP

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Updates

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Review Oracle Critical Patch Update advisories 2. Apply relevant patches for Oracle Fusion Middleware 3. Restart affected services 4. Verify patch application

🔧 Temporary Workarounds

Network segmentation

all

Restrict network access to systems using Outside In Technology

Input validation

all

Implement strict input validation before passing data to Outside In Technology

🧯 If You Can't Patch

  • Implement network controls to restrict access to affected systems
  • Monitor for abnormal service crashes and implement rapid restart procedures

🔍 How to Verify

Check if Vulnerable:

Check Oracle Fusion Middleware version and Outside In Technology component version 8.5.5

Check Version:

Oracle-specific version checking commands depend on deployment

Verify Fix Applied:

Verify patch application via Oracle patch management tools and check version is updated

📡 Detection & Monitoring

Log Indicators:

  • Unexpected service crashes
  • Hanging processes related to Outside In Technology
  • Abnormal HTTP requests to affected services

Network Indicators:

  • Multiple HTTP requests causing service disruption
  • Traffic patterns targeting Outside In endpoints

SIEM Query:

Search for: 'Oracle Outside In crash' OR 'service restart' AND 'HTTP request'

📊 Metadata

CVE ID: CVE-2021-35574
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON