Login Sign Up

CVE-2021-35654

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers with network access via HTTP to cause a denial of service (DoS) by crashing or hanging Oracle Essbase Administration Services. It affects Oracle Essbase Administration Services versions prior to 11.1.2.4.046 and prior to 21.3.

💻 Affected Systems

Products:
  • Oracle Essbase Administration Services
Versions: Prior to 11.1.2.4.046 and Prior to 21.3
Operating Systems: All supported platforms for Oracle Essbase
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the EAS Console component specifically. Requires HTTP network access to the administration services.

📦 What is this software?

Essbase Administration Services by Oracle

View all CVEs affecting Essbase Administration Services →

Essbase Administration Services by Oracle

View all CVEs affecting Essbase Administration Services →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of Essbase Administration Services, disrupting business operations that depend on Essbase administration capabilities.

🟠

Likely Case

Service disruption causing administrative tasks to fail and requiring service restart.

🟢

If Mitigated

Limited impact if network access is restricted and services are behind proper authentication.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing instances extremely vulnerable to DoS attacks.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS describes as 'easily exploitable' with low attack complexity. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.2.4.046 or 21.3 and later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch according to Oracle's documentation. 3. Restart Essbase Administration Services. 4. Verify the service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Essbase Administration Services to trusted IP addresses only.

Use firewall rules to limit access to specific source IPs

Authentication Proxy

all

Place an authentication proxy in front of Essbase Administration Services to require authentication before reaching the vulnerable service.

Configure reverse proxy with authentication (e.g., Apache/Nginx with auth modules)

🧯 If You Can't Patch

  • Implement strict network access controls to limit HTTP access to Essbase Administration Services
  • Monitor for unusual traffic patterns or repeated connection attempts to the administration service

🔍 How to Verify

Check if Vulnerable:

Check the version of Essbase Administration Services. If version is below 11.1.2.4.046 or below 21.3, the system is vulnerable.

Check Version:

Check Oracle documentation for version checking specific to your Essbase installation

Verify Fix Applied:

Verify the version after patching shows 11.1.2.4.046 or higher, or 21.3 or higher. Test service functionality.

📡 Detection & Monitoring

Log Indicators:

  • Repeated service crashes or hangs in Essbase Administration Services logs
  • Unusual HTTP traffic patterns to administration console

Network Indicators:

  • Multiple HTTP requests from single sources to administration endpoints
  • Traffic spikes followed by service unavailability

SIEM Query:

source="essbase_admin.log" AND ("crash" OR "hang" OR "unresponsive")

📊 Metadata

CVE ID: CVE-2021-35654
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON