Skip to content
Make Your Internet Intelligence Blossom | Get 20% off Censys Search Teams or Solo annual plans with code Spring24 by 5/31 | Save Now

Critical Vulnerability (CVE-2021-35587) in Oracle Fusion Middleware Now Exploited!


On Monday, November 28, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2021-35587 and CVE-2022-4135 to its Known Exploited Vulnerabilities Catalog and provided an update based on evidence of active exploitation. CVE-2021-35587 is associated with Oracle Fusion Middleware Access Management, which is an enterprise level Single Sign-on (SSO) solution.  CVE-2021-35587 allows for Pre-auth Remote Code Execution in Oracle Fusion Middleware for full take over of Oracle Access Manager. CVE-2022-4135 is associated with Google Chromium. Both are critical vulnerabilities observed as being actively exploited in the wild. This post focuses on CVE-2021-35587 because this is where Censys can help.

About CVE-2021-35587

CVE-2021-35587 was published in January 2022. It is a vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware. The vulnerability allows an unauthenticated (Pre-auth) attacker with network access via HTTP to compromise Oracle Access Manager and take full control of the system to conduct Remote Code Execution (RCE). Given Oracle Access Manager defined in the installation guide has an “enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services,” this can have severe consequences for victims of such attacks.

The first proof of concept (PoC) exploit was published in March 2022 by security researchers “Janggggg” and “Peterjson”. Since then, other PoCs have appeared as well, providing attackers with a variety of options. However, the vulnerability has not been observed to be exploited in the wild … until now.

What’s changed?

CISA has confirmed that CVE-2021-35587 is being actively exploited in the wild, but did not provide additional details about the attacks. GreyNoise Intelligence has observed attacks attempting to exploit this vulnerability from at least 6 unique IPs exploited in the last month. The attacks appear to originate from the United States, China, Germany, Singapore, and Canada. At this time, the attacks do not appear to be widespread.

How can Censys help?

There are currently 151 exposed Oracle Access Management systems accessible from the Internet. Identifying Oracle Access Manager hosts using Censys can be done by using the CPE identifier.

  • Censys Search: `cpe:2.3:a:oracle:access_manager:*:*:*:*:*:*:*:*`

  • Censys ASM Inventory: `cpe:2.3:a:oracle:access_manager:*:*:*:*:*:*:*:*`

Censys Attack Surface Management customers will now have access to a new risk to identify exposed Oracle Access Management systems in their attack surface. Given this is a security tool, it should not be accessible from the Internet in a traditional organization. All ASM risks related to Oracle Access Manager can be found here using the search term: “ oracle”.

About the Author

Jill Cagliostro
Jill Cagliostro
Principal Product Management
Jill Cagliostro is a customer-obsessed product leader in the security industry. Her deep understanding of customers' pain points comes from her own real-world experience in the SOC. She started her career at a large financial institution where she focused on operationalizing and architecting their enterprise SIEM solution and establishing their threat intelligence program. She brought her experience to Anomali, where she led the customer success team for the East & Federal Region. She pivoted to Product Manager to get closer to the product and ensure that product strategy aligns with customer needs at companies like Anomali, Recorded Future, Splunk, and most recently Censys where she is a Principal Product Manager. She is a “Double Jacket” having completed both her undergraduate and graduate studies at Georgia Tech in Computer Science and Cybersecurity, respectively.
Attack Surface Management Solutions
Learn more