Login Sign Up

CVE-2021-35651

8.5 HIGH

📋 TL;DR

This vulnerability in Oracle Essbase Administration Services allows authenticated attackers with low privileges to access and modify sensitive data via HTTP. It affects Essbase Administration Services console in versions prior to 11.1.2.4.046 and 21.3, potentially impacting other connected products.

💻 Affected Systems

Products:
  • Oracle Essbase Administration Services
Versions: Prior to 11.1.2.4.046 and Prior to 21.3
Operating Systems: All supported platforms for Oracle Essbase
Default Config Vulnerable: ⚠️ Yes
Notes: Affects EAS Console component specifically. Requires network access via HTTP and low privileged credentials.

📦 What is this software?

Essbase Administration Services by Oracle

View all CVEs affecting Essbase Administration Services →

Essbase Administration Services by Oracle

View all CVEs affecting Essbase Administration Services →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Essbase Administration Services data including unauthorized access to critical information and ability to modify or delete data across connected systems.

🟠

Likely Case

Unauthorized access to sensitive business intelligence data and potential data manipulation within Essbase Administration Services.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent low-privileged users from reaching vulnerable endpoints.

🌐 Internet-Facing: HIGH - HTTP accessible vulnerability with low attack complexity makes internet-facing instances prime targets.
🏢 Internal Only: HIGH - Even internally, low-privileged users can exploit this to escalate privileges and access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Oracle describes as 'easily exploitable' with low attack complexity. Requires authenticated access but only low privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.2.4.046 or 21.3 and later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download patches from Oracle Support. 2. Apply Critical Patch Update for October 2021. 3. Restart Essbase Administration Services. 4. Verify patch application via version check.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Essbase Administration Services to only trusted administrative networks

Privilege Reduction

all

Review and minimize low-privileged user accounts with access to EAS Console

🧯 If You Can't Patch

  • Implement strict network access controls to limit HTTP access to EAS Console
  • Monitor for unusual access patterns from low-privileged accounts to EAS endpoints

🔍 How to Verify

Check if Vulnerable:

Check Essbase Administration Services version via EAS Console interface or configuration files

Check Version:

Check EAS Console version in web interface or review installation logs

Verify Fix Applied:

Verify version is 11.1.2.4.046 or higher, or 21.3 or higher after patching

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to EAS Console from low-privileged accounts
  • Multiple failed authentication attempts followed by successful access

Network Indicators:

  • HTTP traffic to EAS Console endpoints from unexpected sources
  • Unusual data extraction patterns

SIEM Query:

source="essbase" AND (event="unauthorized_access" OR event="data_access" FROM user_role="low_privilege")

📊 Metadata

CVE ID: CVE-2021-35651
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON