cbcvebase.
CVE-2021-2244
published 2021-04-22

CVE-2021-2244: Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI) and Essbase Analytic Provider Services product of Oracle…

PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.75%
75.1th percentile
Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI) and Essbase Analytic Provider Services product of Oracle Essbase (component: JAPI). Supported versions that are affected are Hyperion Analytic Provider Services 11.1.2.4 and 12.2.1.4, and Essbase Analytic Provider Services 21.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hyperion Analytic Provider Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Hyperion Analytic Provider Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Hyperion Analytic Provider Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected

6 ranges
VendorProductVersion rangeFixed in
oracleessbase_analytic_provider_services
oraclehyperion_analytic_provider_services
oraclehyperion_analytic_provider_services
oracle_corporationhyperion_analytic_provider_services
oracle_corporationhyperion_analytic_provider_services
oracle_corporationhyperion_analytic_provider_services

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2021-2244 targets the JAPI component of Hyperion Analytic Provider Services and Essbase Analytic Provider Services over HTTP; monitor for unauthenticated HTTP requests to JAPI endpoints on affected Oracle Hyperion/Essbase deployments
  • Attacks can impact additional products beyond the directly targeted service (scope change); monitor for lateral movement or cross-component compromise following exploitation of Hyperion APS JAPI
  • Successful exploitation results in full takeover; alert on unexpected process execution, configuration changes, or privilege escalation originating from the Hyperion APS or Essbase APS service accounts
  • ·Affected versions are Hyperion Analytic Provider Services 11.1.2.4 and 12.2.1.4, and Essbase Analytic Provider Services 21.2; detections should be scoped to these specific versions
  • ·The vulnerability is exploitable with no authentication and no privileges required (PR:N, UI:N per CVSS vector), meaning no credential-based filtering can be used to reduce attack surface at the network layer alone
  • ·The NVD advisory lists UI:N (no user interaction required), while the Oracle CPUApr2021 advisory lists CVSS 9.6 — verify which scoring applies to your specific product version as the two advisories differ slightly in score

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle10.0CRITICAL
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.