Oracle Access Manager Pre-Auth RCE Vulnerability CVE-2021-35587 Analysis

Oracle Access Manager is the Oracle flagship product when the matter is authentication, WebSSO, grained authorization and more. Working integrated to Oracle Identity Management Service support protection to customer applications and workloads.

Recently a high risk vulnerability was found in OAM, described in https://nvd.nist.gov/vuln/detail/CVE-2021-35587 that allows an unauthenticated?attacker with just HTTP access to compromise OAM. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. For example, to create a superuser with any priviledges or to execute an arbitrary code remotely.

The entrypoint problem is an URL endpoint "/oam/server/opensso/sessionservice" . Executing specific requests may allow an attacker to bypass authentication and subvert OAM environment.

Fig. 1 - sample request with results

Solution: apply CPU patches as soon as possible!

The Oracle Critical Patch Update of January 2022 contains 39 new security patches for Oracle Fusion Middleware.?35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. One of these is the vulnerability described in CVE-2021-35587. It's high recommended to apply this CPU and create a schedule to apply regularly CPU patches.

Conclusion

Don't miss CPU patch updates. Patching is the basic cyber hygiene. Oracle releases patches for many product issues but the most significant is the security patch, which mitigates a previously identified vulnerability that bad actors can leverage?to gain unauthorized access to your device and?personal?data.

Check the Critical Patch Updates, Security Alerts and Bulletins portal for further information.

Thanks!

Rogerio Cruz, Security Lead, ACS Global Delivery LAD - Oracle Brazil