⚠ Actively exploited

Added to CISA KEV on 2022-11-28. Federal agencies required to patch by 2022-12-19. Required action: Apply updates per vendor instructions..

CVE-2021-35587 — Missing Authentication for Critical Function in Corporation Access Manager

CWE-306 — Missing Authentication for Critical Function CWE-502 — Deserialization of Untrusted Data CWE-790 — Improper Filtering of Special Elements8 documents8 sources

Severity

9.8CRITICALNVD

EPSS

94.2%

top 0.07%

CISA KEV

KEV

Added 2022-11-28

Due 2022-12-19

Exploit

Exploited in wild

Active exploitation observed

Affected products

Oracle Corporation Access Manager Oracle Access Manager

Timeline

PublishedJan 19

KEV addedNov 28

KEV dueDec 19

CISA Required Action: Apply updates per vendor instructions.

Description

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDoracle/access_manager11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0+2

▶CVEListV5oracle_corporation/access_manager11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0+2

🔴Vulnerability Details

GHSA

GHSA-x3jv-936g-xqj4: Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent)↗2022-01-20

▶

CVEList

CVE-2021-35587: Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent)↗2022-01-19

▶

VulnCheck

Oracle Fusion Middleware Unspecified Vulnerability↗2021

▶

💥Exploits & PoCs

Nuclei

Oracle Access Manager - Remote Code Execution

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible Oracle Access Manager RCE Attempt (CVE-2021-35587)↗2022-03-10

▶

📋Vendor Advisories

CISA

Oracle Fusion Middleware Unspecified Vulnerability↗2022-11-28

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: OpenSSO Agent — CVE-2021-35587↗2022-01-15

▶