CVE-2021-35587
📋 TL;DR
This critical vulnerability in Oracle Access Manager allows unauthenticated attackers to remotely compromise the system via HTTP requests, potentially leading to complete system takeover. It affects Oracle Fusion Middleware's OpenSSO Agent component in specific versions. Organizations using affected Oracle Access Manager deployments are at immediate risk.
💻 Affected Systems
- Oracle Access Manager
- Oracle Fusion Middleware
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Oracle Access Manager allowing attackers to gain administrative control, access sensitive authentication data, modify configurations, and potentially pivot to other systems.
Likely Case
Attackers gain unauthorized access to the authentication system, potentially compromising user credentials, bypassing security controls, and accessing protected resources.
If Mitigated
With proper network segmentation and access controls, impact could be limited to the Oracle Access Manager instance itself, though credential exposure would still be significant.
🎯 Exploit Status
CISA has confirmed this vulnerability is being actively exploited in the wild. The CVSS 9.8 score and 'easily exploitable' description indicate trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Critical Patch Update (CPU) from January 2022 or later
Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2022.html
Restart Required: Yes
Instructions:
1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's documentation. 3. Restart Oracle Access Manager services. 4. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Oracle Access Manager to only trusted IP addresses and networks
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport <OAM_PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <OAM_PORT> -j DROP
Web Application Firewall
allDeploy WAF with rules to block suspicious requests to Oracle Access Manager endpoints
Configure WAF to inspect and block malicious HTTP requests to OAM paths
🧯 If You Can't Patch
- Isolate Oracle Access Manager in a separate network segment with strict access controls
- Implement additional authentication layers before Oracle Access Manager and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Oracle Access Manager version via administrative console or configuration files. Compare against affected versions: 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0Check Version:
Check Oracle Home inventory or use opatch lsinventory command for Oracle installationsVerify Fix Applied:
Verify patch application through Oracle Enterprise Manager or check version after applying Critical Patch Update📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts
- Unexpected configuration changes
- Access from unauthorized IP addresses
- HTTP requests to sensitive OAM endpoints
Network Indicators:
- Unusual traffic patterns to Oracle Access Manager ports
- HTTP requests with suspicious parameters
- Traffic from unexpected sources
SIEM Query:
source="oam.log" AND (event_type="authentication_failure" OR event_type="configuration_change") | stats count by src_ip