CVE-2021-22502

What is Micro Focus Operation Bridge Reporter?

Micro Focus Operation Bridge Reporter (OBR) is an enterprise IT operations reporting and analytics platform deployed by large organizations and government agencies to aggregate performance and capacity data from IT infrastructure components — servers, network devices, storage, applications, and databases. OBR collects data from monitoring tools such as HP Operations Manager, SiteScope, and Business Service Management, then generates management dashboards and compliance reports. As an IT management platform with visibility into the entire infrastructure, OBR typically runs with broad access to IT management networks and contains credentials for the systems it monitors.

Overview

CVE-2021-22502 is an OS command injection vulnerability (CWE-78) in the Micro Focus Operation Bridge Reporter web interface. An unauthenticated remote attacker can send specially crafted requests to the OBR web service to inject OS commands that execute on the underlying server. The vulnerability allows complete server compromise without any credentials. Micro Focus published advisory MFSBGN03867 in February 2021. CISA added this to KEV in November 2021 following confirmed exploitation. The combination of no-auth RCE and OBR's deployment in high-value IT management environments makes this vulnerability significant.

Affected Versions

Technical Details

The OBR web interface includes endpoints that process administrative and reporting parameters by passing them to OS-level commands:

• Root cause: OS command injection (CWE-78) — the OBR web application passes user-supplied input to shell commands without sanitizing shell metacharacters (;, &&, |, $(...))
• No authentication required: The vulnerable endpoint is accessible without prior authentication on the default OBR web service configuration
• Execution context: Injected commands execute in the context of the OBR application server process, which typically runs with elevated privileges on the underlying OS
• Post-exploitation: An attacker with code execution on OBR can access monitoring credentials stored in OBR's configuration, pivot to monitored infrastructure systems, and access IT management data for the entire monitored environment

Discovery

Reported to Micro Focus by external security researchers. Micro Focus published advisory MFSBGN03867 in February 2021 with patch information.

Exploitation Context

Micro Focus OBR is deployed in enterprises and government agencies as part of HPE/Micro Focus IT management suites. While not as widely deployed as products like vCenter or Exchange, OBR is present in large-enterprise environments where it has credentials for IT monitoring across hundreds of servers. Attackers who compromise OBR gain visibility into infrastructure inventory, performance data, and potentially stored credentials for monitored systems. CISA's KEV addition confirms exploitation occurred in environments where this visibility was of value to threat actors.

Remediation

1. Apply patches per Micro Focus Security Advisory MFSBGN03867 — update OBR to the patched version
2. Restrict network access to the OBR web interface to authorized administrator IP ranges — the management interface should not be accessible from untrusted networks
3. Review OBR access logs for unexpected requests from unauthorized IP addresses or containing shell metacharacters in parameters
4. Audit OBR's stored monitoring credentials and rotate passwords for all monitored systems if exploitation is suspected
5. After patching, review all systems monitored by OBR for signs of lateral movement from the OBR server