CVE-2022-21255 – This vulnerability in Oracle Configurator (part... (How to Fix)

Q: What is the severity of CVE-2022-21255?

CVE-2022-21255 has a CVSS score of 8.1 (HIGH). This vulnerability in Oracle Configurator (part of Oracle E-Business Suite) allows authenticated attackers with low privileges to perform unauthorized data manipulation and access sensitive information via HTTP requests. It affects Oracle E-Business Suite versions 12.2.3 through 12.2.11. Attackers can create, delete, or modify critical data and access confidential information.

📋 TL;DR

This vulnerability in Oracle Configurator (part of Oracle E-Business Suite) allows authenticated attackers with low privileges to perform unauthorized data manipulation and access sensitive information via HTTP requests. It affects Oracle E-Business Suite versions 12.2.3 through 12.2.11. Attackers can create, delete, or modify critical data and access confidential information.

💻 Affected Systems

Products:

Oracle E-Business Suite - Oracle Configurator

Versions: 12.2.3 through 12.2.11

Operating Systems: All platforms running Oracle E-Business Suite

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the UI Servlet component specifically. Requires Oracle Configurator to be installed and accessible via HTTP.

📦 What is this software?

Configurator by Oracle

View all CVEs affecting Configurator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Configurator data including unauthorized access to all sensitive information and ability to manipulate critical business data, potentially leading to data integrity loss, business disruption, and regulatory compliance violations.

🟠

Likely Case

Unauthorized data access and modification by authenticated users with low privileges, leading to data breaches and integrity issues within the Oracle Configurator component.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access controls, and monitoring are implemented, though the vulnerability remains present.

🌐 Internet-Facing: HIGH - The vulnerability is network accessible via HTTP and requires only low privileges, making internet-facing instances particularly vulnerable to exploitation.

🏢 Internal Only: HIGH - Even internally, low-privileged authenticated users can exploit this vulnerability to access and manipulate sensitive data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Oracle describes it as 'easily exploitable' and requires only low privileged access with network connectivity via HTTP. No authentication bypass is required beyond having a low-privileged account.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the January 2022 Critical Patch Update for Oracle E-Business Suite

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2022.html

Restart Required: Yes

Instructions:

1. Download the January 2022 Critical Patch Update for Oracle E-Business Suite from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart affected Oracle E-Business Suite services. 4. Test the application functionality post-patch.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Oracle Configurator UI Servlet to only trusted IP addresses and networks

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

Privilege Reduction

all

Review and reduce privileges for all Oracle Configurator users to minimum required levels

Review user roles in Oracle E-Business Suite: SELECT * FROM FND_USER WHERE USER_NAME LIKE '%'
Revoke unnecessary privileges using Oracle E-Business Suite administration tools

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Oracle Configurator
Enforce principle of least privilege by reviewing and reducing user permissions to absolute minimum required

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version: SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS; and verify if between 12.2.3 and 12.2.11

Check Version:

SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS;

Verify Fix Applied:

Verify patch application: SELECT PATCH_NAME, APPLIED_DATE FROM AD_APPLIED_PATCHES WHERE PATCH_NAME LIKE '%JAN2022%'; and confirm version is patched

📡 Detection & Monitoring

Log Indicators:

Unusual data access patterns in Oracle Configurator logs
Multiple failed authentication attempts followed by successful low-privilege access
Unexpected data modification events in audit logs

Network Indicators:

Unusual HTTP traffic patterns to Oracle Configurator UI Servlet endpoints
Traffic from unexpected sources to Configurator ports

SIEM Query:

source="oracle-ebs" (event_type="data_access" OR event_type="data_modification") user_privilege="low" AND result="success" | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2022-21255

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Published: January 19, 2022

Last Updated: November 21, 2024

🔗 References

https://www.oracle.com/security-alerts/cpujan2022.html Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON