Login Sign Up

CVE-2021-35656

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Oracle Outside In Technology allows unauthenticated attackers to cause denial of service by crashing or hanging the software via HTTP requests. It affects Oracle Fusion Middleware using Outside In Filters version 8.5.5. Organizations using Oracle products that incorporate this SDK are vulnerable.

💻 Affected Systems

Products:
  • Oracle Fusion Middleware (Outside In Filters component)
  • Any software using Oracle Outside In Technology SDK
Versions: 8.5.5
Operating Systems: All platforms supported by Oracle Outside In Technology
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the SDK itself, so impact depends on how applications implement it. Applications that pass network data directly to Outside In Technology are most vulnerable.

📦 What is this software?

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for any application using Outside In Technology, rendering affected services unavailable until restart.

🟠

Likely Case

Service disruption for applications processing untrusted files via Outside In Technology, requiring manual intervention to restore functionality.

🟢

If Mitigated

Limited impact if network access is restricted or input validation prevents malicious payloads from reaching the vulnerable component.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing systems particularly vulnerable to DoS attacks.
🏢 Internal Only: MEDIUM - Internal systems remain vulnerable to insider threats or compromised internal accounts, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes it as 'easily exploitable' with unauthenticated network access via HTTP. No public exploit code was found in initial research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Oracle Critical Patch Update for October 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Review Oracle Critical Patch Update Advisory for October 2021. 2. Apply relevant patches for Oracle Fusion Middleware. 3. Restart affected services. 4. Update any custom applications using Outside In Technology SDK.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to services using Outside In Technology to trusted sources only

Input Validation

all

Implement strict input validation and sanitization before passing data to Outside In Technology

🧯 If You Can't Patch

  • Implement network controls to restrict HTTP access to affected services
  • Monitor for abnormal service crashes or hangs and implement automated restart procedures

🔍 How to Verify

Check if Vulnerable:

Check if Oracle Fusion Middleware or other software uses Outside In Technology version 8.5.5. Review application dependencies and Oracle component versions.

Check Version:

opatch lsinventory (Oracle-specific) or check application dependency manifests

Verify Fix Applied:

Verify patch installation via Oracle OPatch utility or version checks. Confirm Outside In Technology is updated beyond version 8.5.5.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected service crashes
  • Application hangs
  • Error logs related to Outside In Technology processing

Network Indicators:

  • HTTP requests to Outside In Technology endpoints followed by service disruption
  • Abnormal traffic patterns to affected services

SIEM Query:

source="*oracle*" AND (event="crash" OR event="hang") AND component="Outside In"

📊 Metadata

CVE ID: CVE-2021-35656
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON