1. Summary
| Vulnerability Name | Oracle Access Manager Remote Code Execution Vulnerability (CVE-2021-35587) |
|---|---|
| Release Time | March 22, 2022 |
| Component Name | OpenSSO Agent |
| Affected Versions | Oracle Access Manager 11.1.2.3.0 Oracle Access Manager 12.2.1.3.0 Oracle Access Manager 12.2.1.4.0 |
| Vulnerability Type | Remote Code Execution |
| Exploitability | Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact | Severity: CVSS v3 Base Score 9.8 (Critical) Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2021-35587
2.1 Introduction
Oracle Access Management Access Manager (Access Manager) is the former (standalone) product named Oracle Access Manager. Access Manager provides the Oracle Fusion Middleware single sign-on (SSO) solution.
2.2 Summary
On March 23, 2022, Sangfor FarSight Labs received a notice about a remote code execution vulnerability in Oracle Access Manager (CVE-2021-35587), classified as critical with a CVSS Score of 9.8.
This vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.
3. Affected Versions
Oracle Access Manager 11.1.2.3.0
Oracle Access Manager 12.2.1.3.0
Oracle Access Manager 12.2.1.4.0
4. Solutions
4.1 Remediation Solutions
Oracle has released a patch for affected versions to fix this vulnerability. Please download the patch corresponding to the affected version from the following link: https://www.oracle.com/security-alerts/cpujan2022.html
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Oracle Access Manager remote code execution vulnerability (CVE-2021-35587):
- Sangfor Cyber Command (Network Detection and Response)
- Sangfor Cyber Guardian (Managed Detection and Response)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Oracle Access Manager remote code execution vulnerability (CVE-2021-35587):
5. Timeline
On March 23, 2022, Sangfor FarSight Labs received a notice about the Oracle Access Management vulnerability (CVE-2021-35587).
On March 23, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
6. Reference
https://nvd.nist.gov/vuln/detail/CVE-2021-35587
https://www.oracle.com/security-alerts/cpujan2022.html
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
