id: CVE-2021-35587

info:
  name: Pre-auth RCE in Oracle Access Manager
  author: cckuailong
  description: |
    Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.
  severity: critical
  reference:
    - https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35587
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2021-35587
    cwe-id: CWE-502
  metadata:
    fofa-query: body="/oam/pages/css/login_page.css"
  tags: cve,cve2021,oam,rce,java,unauth,oracle

requests:
  - method: GET
    path:
      - '{{BaseURL}}/oam/server/opensso/sessionservice'

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "x-oracle-dms-ecid"
          - "x-oracle-dms-rid"
        condition: or
        case-insensitive: true

      - type: word
        part: body
        words:
          - "/oam/pages/css/general.css"