CVE-2021-2244
published 2021-04-22CVE-2021-2244: Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI) and Essbase Analytic Provider Services product of Oracle…
PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.75%
75.1th percentile
Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI) and Essbase Analytic Provider Services product of Oracle Essbase (component: JAPI). Supported versions that are affected are Hyperion Analytic Provider Services 11.1.2.4 and 12.2.1.4, and Essbase Analytic Provider Services 21.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hyperion Analytic Provider Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Hyperion Analytic Provider Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Hyperion Analytic Provider Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | essbase_analytic_provider_services | — | — |
| oracle | hyperion_analytic_provider_services | — | — |
| oracle | hyperion_analytic_provider_services | — | — |
| oracle_corporation | hyperion_analytic_provider_services | — | — |
| oracle_corporation | hyperion_analytic_provider_services | — | — |
| oracle_corporation | hyperion_analytic_provider_services | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-2244 targets the JAPI component of Hyperion Analytic Provider Services and Essbase Analytic Provider Services over HTTP; monitor for unauthenticated HTTP requests to JAPI endpoints on affected Oracle Hyperion/Essbase deployments ↗
- →Attacks can impact additional products beyond the directly targeted service (scope change); monitor for lateral movement or cross-component compromise following exploitation of Hyperion APS JAPI ↗
- →Successful exploitation results in full takeover; alert on unexpected process execution, configuration changes, or privilege escalation originating from the Hyperion APS or Essbase APS service accounts ↗
- ·Affected versions are Hyperion Analytic Provider Services 11.1.2.4 and 12.2.1.4, and Essbase Analytic Provider Services 21.2; detections should be scoped to these specific versions ↗
- ·The vulnerability is exploitable with no authentication and no privileges required (PR:N, UI:N per CVSS vector), meaning no credential-based filtering can be used to reduce attack surface at the network layer alone ↗
- ·The NVD advisory lists UI:N (no user interaction required), while the Oracle CPUApr2021 advisory lists CVSS 9.6 — verify which scoring applies to your specific product version as the two advisories differ slightly in score ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle10.0CRITICAL
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Essbase Risk Matrix: JAPI — CVE-2021-2244
vendor_oracle·2021-07-15·CVSS 10.0
CVE-2021-2244 [CRITICAL] Oracle Oracle Essbase Risk Matrix: JAPI — CVE-2021-2244
Oracle Oracle Essbase Risk Matrix: JAPI vulnerability
CVE: CVE-2021-2244
CVSS: 10.0
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Oracle
Oracle Oracle Hyperion Risk Matrix: JAPI — CVE-2021-2244
vendor_oracle·2021-04-15·CVSS 9.6
CVE-2021-2244 [CRITICAL] Oracle Oracle Hyperion Risk Matrix: JAPI — CVE-2021-2244
Oracle Oracle Hyperion Risk Matrix: JAPI vulnerability
CVE: CVE-2021-2244
CVSS: 9.6
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2021 (APR 2021)
GHSA
GHSA-38xv-jq9h-rcmq: Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI)
ghsa_unreviewed·2022-05-24
CVE-2021-2244 [CRITICAL] GHSA-38xv-jq9h-rcmq: Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI)
Vulnerability in the Hyperion Analytic Provider Services product of Oracle Hyperion (component: JAPI). Supported versions that are affected are 11.1.2.4 and 12.2.1.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hyperion Analytic Provider Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Hyperion Analytic Provider Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Hyperion Analytic Provider Services. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-22
Published