CVE-2021-35587

What is Oracle Access Manager?

Oracle Access Manager (OAM) is Oracle's enterprise Identity and Access Management platform — part of Oracle Fusion Middleware. OAM provides single sign-on (SSO), multi-factor authentication, and access policy enforcement for enterprise applications. Organizations deploy OAM as the authentication gateway for their web applications, meaning it sits in front of critical business systems and controls who can access them. Compromising OAM gives an attacker the ability to bypass authentication for all protected applications, forge authentication sessions, and extract identity credentials for the entire enterprise.

Overview

CVE-2021-35587 is a critical pre-authentication vulnerability in the OpenSSO Agent component of Oracle Access Manager (part of Oracle Fusion Middleware). An unauthenticated remote attacker with HTTP access to the OAM server can exploit this vulnerability to take over the Access Manager product — achieving arbitrary code execution without needing any credentials. Oracle patched this in the January 2022 Critical Patch Update. CISA added it to KEV in November 2022, reflecting active exploitation in the wild roughly 10 months after the patch.

Affected Versions

Technical Details

The vulnerability resides in the OpenSSO Agent component of Oracle Access Manager, which handles federated SSO authentication handoffs. The component processes incoming HTTP requests in a way that, under certain conditions, can be manipulated to execute arbitrary code without authentication:

• Authentication required: None — the vulnerability is exploitable by any unauthenticated attacker with HTTP/HTTPS access to the OAM listening port
• Attack complexity: Low — no special conditions or timing required
• Impact: Full compromise of the Access Manager product, including potential code execution and access to all OAM-managed authentication sessions and credential stores
• Protocol: HTTP/HTTPS — exploitable over the standard OAM web service port
• Post-exploitation value: A compromised OAM instance exposes SSO tokens for all protected applications, enabling lateral movement across the entire enterprise application landscape

Discovery

The vulnerability was identified and reported to Oracle for inclusion in their Critical Patch Update process. Security researchers at Viettel Cyber Security published analysis of this vulnerability after the patch was released. The 10-month gap between patch and CISA KEV addition indicates active exploitation was confirmed against unpatched OAM deployments.

Exploitation Context

Oracle Access Manager is widely deployed in large enterprises, financial institutions, and government agencies as a central identity management platform. An attacker who compromises OAM can effectively impersonate any user or service account in the enterprise without needing to crack individual passwords. The CISA KEV addition in November 2022 indicates nation-state or sophisticated criminal actors were actively exploiting this against unpatched OAM deployments — targeting the authentication infrastructure itself rather than individual applications.

Remediation

1. Apply Oracle's January 2022 Critical Patch Update for Oracle Access Manager immediately
2. If immediate patching is not possible, restrict access to the OAM server to trusted internal IPs and VPN-connected users only
3. Audit OAM access logs for unexpected authentication activity, especially from unusual source IPs or at unusual times
4. Review all applications protected by OAM for unauthorized access that may have occurred while OAM was vulnerable
5. Rotate SSO service account credentials and OAuth tokens after patching
6. Enable Oracle Fusion Middleware security monitoring and alerting