Login Sign Up

CVE-2022-21536

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Oracle Enterprise Manager's Policy Framework allows unauthenticated attackers with network access via HTTP to potentially compromise the entire Enterprise Manager Base Platform. Affected versions are 13.4.0.0 and 13.5.0.0, putting organizations using these versions at risk of complete system takeover.

💻 Affected Systems

Products:
  • Oracle Enterprise Manager Base Platform
Versions: 13.4.0.0 and 13.5.0.0
Operating Systems: All platforms supported by Oracle Enterprise Manager
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Policy Framework component specifically. Requires HTTP network access to the Enterprise Manager instance.

📦 What is this software?

Enterprise Manager Base Platform by Oracle

View all CVEs affecting Enterprise Manager Base Platform →

Enterprise Manager Base Platform by Oracle

View all CVEs affecting Enterprise Manager Base Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Enterprise Manager Base Platform leading to full administrative control, data exfiltration, and potential lateral movement to managed systems.

🟠

Likely Case

Unauthenticated remote code execution leading to system compromise and potential credential theft from the Enterprise Manager platform.

🟢

If Mitigated

Limited impact due to network segmentation and proper access controls preventing unauthenticated access to vulnerable components.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Oracle describes this as 'difficult to exploit' but with high impact if successful. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update July 2022 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2022.html

Restart Required: Yes

Instructions:

1. Download the July 2022 Critical Patch Update from Oracle Support. 2. Apply the patch to affected Enterprise Manager instances. 3. Restart the Enterprise Manager services. 4. Verify the patch was successfully applied.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Enterprise Manager instances to trusted IP addresses only

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport <em_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <em_port> -j DROP

Authentication Enforcement

all

Ensure all access to Enterprise Manager requires authentication

Verify authentication is required for all endpoints in Enterprise Manager configuration

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to trusted networks only
  • Monitor Enterprise Manager logs for unusual unauthenticated access attempts

🔍 How to Verify

Check if Vulnerable:

Check Enterprise Manager version via console or command line: emctl status agent

Check Version:

emctl status agent | grep 'Enterprise Manager'

Verify Fix Applied:

Verify patch application by checking version and reviewing patch logs in $ORACLE_HOME/cfgtoollogs/opatch

📡 Detection & Monitoring

Log Indicators:

  • Unusual unauthenticated HTTP requests to Policy Framework endpoints
  • Unexpected process execution from Enterprise Manager components

Network Indicators:

  • Unusual outbound connections from Enterprise Manager servers
  • HTTP requests to Policy Framework from untrusted sources

SIEM Query:

source="enterprise_manager" AND (http_uri CONTAINS "/policy" OR http_uri CONTAINS "/framework") AND http_status=200 AND auth_status="unauthenticated"

📊 Metadata

CVE ID: CVE-2022-21536
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON