Login Sign Up

CVE-2021-35662

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Oracle Outside In Technology allows unauthenticated attackers to cause denial of service by crashing or hanging the software. It affects systems using Oracle Fusion Middleware with Outside In Filters version 8.5.5. The vulnerability is network-accessible via HTTP and requires no user interaction.

💻 Affected Systems

Products:
  • Oracle Fusion Middleware with Outside In Filters
Versions: 8.5.5
Operating Systems: All platforms supported by Oracle Outside In Technology
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the Outside In Technology SDKs, so actual impact depends on how applications implement and expose these components. Applications that pass network data directly to Outside In Technology are most vulnerable.

📦 What is this software?

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for any application using Outside In Technology, potentially affecting multiple business processes that rely on document processing capabilities.

🟠

Likely Case

Service disruption for applications using Outside In Technology for document conversion or processing, leading to temporary unavailability of affected services.

🟢

If Mitigated

Limited impact if network access is restricted or if input validation prevents malicious payloads from reaching the vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes this as 'easily exploitable' with no authentication required. The attack vector is HTTP, making it straightforward for attackers to target exposed services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Oracle Critical Patch Update for October 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Review Oracle Critical Patch Update Advisory for October 2021. 2. Apply the appropriate patch for your Oracle Fusion Middleware installation. 3. Restart affected services. 4. Test document processing functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to services using Outside In Technology to trusted sources only

Input Validation

all

Implement strict input validation and sanitization before passing data to Outside In Technology components

🧯 If You Can't Patch

  • Implement network controls to restrict access to affected services
  • Monitor for abnormal service behavior and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check Oracle Fusion Middleware version and verify if Outside In Technology 8.5.5 is installed and exposed via HTTP

Check Version:

Consult Oracle documentation for version checking commands specific to your installation

Verify Fix Applied:

Verify patch installation through Oracle patch management tools and confirm version is updated beyond 8.5.5

📡 Detection & Monitoring

Log Indicators:

  • Multiple service crashes or hangs
  • Abnormal termination of Outside In processes
  • Increased error rates in document processing

Network Indicators:

  • HTTP requests to Outside In endpoints with malformed document data
  • Unusual traffic patterns to document processing services

SIEM Query:

Search for: (process_name:"OutsideIn" OR service_name:"OutsideIn") AND (event_type:crash OR status:failed)

📊 Metadata

CVE ID: CVE-2021-35662
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON