Login Sign Up

CVE-2022-21346

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Oracle BI Publisher allows unauthenticated attackers with network access via HTTP to access sensitive data. It affects Oracle BI Publisher versions 5.5.0.0.0, 12.2.1.3.0, and 12.2.1.4.0. Attackers can read critical data without authentication.

💻 Affected Systems

Products:
  • Oracle BI Publisher
Versions: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
Operating Systems: Any OS running Oracle BI Publisher
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Oracle Fusion Middleware component: BI Publisher Security. All deployments with affected versions are vulnerable.

📦 What is this software?

Bi Publisher by Oracle

View all CVEs affecting Bi Publisher →

Bi Publisher by Oracle

View all CVEs affecting Bi Publisher →

Bi Publisher by Oracle

View all CVEs affecting Bi Publisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Oracle BI Publisher accessible data, including sensitive business intelligence reports and confidential information.

🟠

Likely Case

Unauthorized access to business intelligence data, reports, and potentially sensitive organizational information.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthenticated HTTP access.

🌐 Internet-Facing: HIGH - Unauthenticated HTTP access from internet could lead to immediate data exfiltration.
🏢 Internal Only: MEDIUM - Internal attackers could exploit, but requires network access to BI Publisher instance.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Described as 'easily exploitable' in Oracle advisory. No authentication required, just HTTP network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for January 2022

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2022.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update for January 2022 from Oracle Support. 2. Apply patch to affected BI Publisher instances. 3. Restart BI Publisher services. 4. Verify patch application.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict HTTP access to BI Publisher to trusted IP addresses only

Configure firewall rules to allow only authorized IPs to BI Publisher port (typically 9704)

Authentication Enforcement

all

Implement additional authentication layer before BI Publisher access

Configure reverse proxy with authentication (e.g., Apache/Nginx with auth) in front of BI Publisher

🧯 If You Can't Patch

  • Isolate BI Publisher instance in separate network segment with strict access controls
  • Implement web application firewall (WAF) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Oracle BI Publisher version via admin console or by examining installation files

Check Version:

Check Oracle Home inventory or use opatch lsinventory command

Verify Fix Applied:

Verify Critical Patch Update for January 2022 is applied via Oracle Enterprise Manager or patch management tools

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to BI Publisher endpoints from unauthenticated sources
  • Access to sensitive report/data endpoints without authentication logs

Network Indicators:

  • HTTP traffic to BI Publisher from unexpected IP addresses
  • Unusual data transfer volumes from BI Publisher

SIEM Query:

source="bipublisher" AND (http_status=200 OR http_status=302) AND user="-" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-21346
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: January 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON