External risk intelligence

Oracle Access Manager: Unauthenticated Network Access Leads to Compromise.

CVE advisoryKnown Exploit

CVE-2021-35587

A vulnerability in Oracle Access Manager allows unauthenticated attackers with network access via HTTP to compromise the product, potentially leading to a full takeover. This impacts organizations by risking their access management systems and associated data. The realistic business risk is significant due to the ease

5Halo Surface Signal

Missing Authentication

Oracle Access Manager

11.1.2.3.012.2.1.3.012.2.1.4.0

External exposure likelihood

Halo Surface Signal score for CVE-2021-35587

Oracle Access Manager is an identity and access management solution. As a gateway and identity portal, it is designed to be public-facing to manage authentication for users and applications, making its network services highly likely to be exposed to the public internet in common deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Oracle Access Manager product, a component of Oracle Fusion Middleware, contains a vulnerability that could allow an attacker to compromise the system. This flaw is exploitable by an unauthenticated attacker who has network access via HTTP. Successful exploitation could lead to a complete takeover of the Oracle Access Manager.

  • Vulnerable component: Oracle Access Manager
  • Core weakness: Unauthenticated network access leads to takeover
  • Main business impact: Compromise of access management systems

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker with network access can compromise Oracle Access Manager. This vulnerability can lead to the takeover of the Oracle Access Manager product. The exploitability is high due to network access being the only requirement for an attacker to initiate the attack.

  • Network access required
  • Attacker compromises Oracle Access Manager
  • Attacker gains control

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk to organizations utilizing Oracle Access Manager. An attacker, without needing any credentials, can exploit this flaw remotely by leveraging network access via HTTP. Successful exploitation could lead to a complete takeover of the Oracle Access Manager system, severely compromising sensitive data and system integrity. Given the potential for widespread impact and the ease of exploitation, this vulnerability should be treated with a high degree of urgency.

  • Attacker skill level: Low
  • Access required: Network access
  • Business risk: High urgency

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Oracle Access Manager, a component of Oracle Fusion Middleware, can allow an unauthenticated attacker with network access via HTTP to compromise the product. Successful attacks could lead to the takeover of Oracle Access Manager, impacting confidentiality, integrity, and availability. The CVSS 3.1 base score is 9.8, indicating a critical severity.

  • Identify Oracle Access Manager assets.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes and validate.
  • Monitor for related issues.

Frequently asked questions

What is Oracle Access Manager and how is it used?

Oracle Access Manager is a component of Oracle Fusion Middleware that functions as an identity and access management solution. It is used to manage authentication for users and applications, acting as a gateway and identity portal.

What type of weakness does CVE-2021-35587 represent?

CVE-2021-35587 is related to a CWE-306 weakness, which means it allows an effectively unconditional code execution. This allows an unauthenticated attacker with network access to compromise Oracle Access Manager.

What conditions are needed for an attacker to exploit this vulnerability?

An attacker needs network access via HTTP to the Oracle Access Manager to exploit this vulnerability. No authentication or special privileges are required for the attacker to initiate the attack.

Who should be concerned about CVE-2021-35587?

Organizations running Oracle Access Manager should be concerned, especially if their systems are internet-facing. The Halo Surface Signal indicates this is very likely, as such systems are typically designed to be public-facing to manage user authentication.

What are the first steps for handling this threat in Oracle Access Manager?

Begin by identifying all Oracle Access Manager assets within your environment. Consider reducing their exposure or isolating them if possible, and prioritize applying vendor-provided fixes.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified