CVE-2021-35652
published 2021-10-20CVE-2021-35652: Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). The supported versions that are affected are Prior to…
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.81%
75.9th percentile
Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). The supported versions that are affected are Prior to 11.1.2.4.046 and Prior to 21.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Essbase Administration Services. While the vulnerability is in Essbase Administration Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Essbase Administration Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | essbase_administration_services | < 11.1.2.4.046 | 11.1.2.4.046 |
| oracle | essbase_administration_services | >= 21.0 < 21.3 | 21.3 |
| oracle_corporation | hyperion_essbase_administration_services | >= unspecified < 11.1.2.4.046 | 11.1.2.4.046 |
| oracle_corporation | hyperion_essbase_administration_services | >= unspecified < 21.3 | 21.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is exploitable over HTTP by an unauthenticated remote attacker with network access, targeting the Essbase Administration Services (EAS) Console component. Monitor for unexpected/unauthenticated HTTP requests to EAS Console endpoints. ↗
- →Successful exploitation can result in full takeover of Essbase Administration Services with scope change impacting additional products. Alert on anomalous activity or privilege escalation originating from the EAS Console service. ↗
- →The vulnerability carries a CVSS 3.1 Base Score of 10.0 with Scope:Changed and full C/I/A impact, indicating lateral movement potential beyond the EAS Console itself. Treat any compromise of EAS Console as a potential pivot point to connected Essbase infrastructure. ↗
- ·Only Essbase Administration Services versions prior to 11.1.2.4.046 and prior to 21.3 are affected. Verify the deployed version before applying detection logic, as patched instances (11.1.2.4.046+ or 21.3+) are not vulnerable. ↗
- ·The vulnerability resides specifically in the EAS Console component of the Essbase Administration Services product. Detection and patching efforts should be scoped to this component. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g93q-vj58-xw7m: Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console)
ghsa_unreviewed·2022-05-24
CVE-2021-35652 [CRITICAL] GHSA-g93q-vj58-xw7m: Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console)
Vulnerability in the Essbase Administration Services product of Oracle Essbase (component: EAS Console). The supported version that is affected is Prior to 11.1.2.4.046. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Essbase Administration Services. While the vulnerability is in Essbase Administration Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Essbase Administration Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Oracle
Oracle Oracle Essbase Risk Matrix: EAS Console — CVE-2021-35652
vendor_oracle·2021-10-15·CVSS 10.0
CVE-2021-35652 [CRITICAL] Oracle Oracle Essbase Risk Matrix: EAS Console — CVE-2021-35652
Oracle Oracle Essbase Risk Matrix: EAS Console vulnerability
CVE: CVE-2021-35652
CVSS: 10.0
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2021 (OCT 2021)
No detection rules found.
No public exploits indexed.
2021-10-20
Published