PT-2021-2921 · Oracle · Essbase Analytic Provider Services+2
Yaoguang Chen
·
Published
2021-04-22
·
Updated
2021-12-03
·
CVE-2021-2244
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Hyperion Analytic Provider Services versions 11.1.2.4 and 12.2.1.4
Essbase Analytic Provider Services version 21.2
Description
The issue is related to insufficient input validation in the JAPI component of the affected software, allowing an unauthenticated attacker with network access via HTTP to compromise Hyperion Analytic Provider Services. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products, potentially resulting in the takeover of Hyperion Analytic Provider Services.
Recommendations
For Hyperion Analytic Provider Services versions 11.1.2.4 and 12.2.1.4, update to a version that includes the fix for this issue.
For Essbase Analytic Provider Services version 21.2, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to the JAPI component until a patch is available.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Essbase Analytic Provider Services
Hyperion Analytic Provider Services
Japi