CVE-2021-2456

Name of the Vulnerable Software and Affected Versions Oracle Business Intelligence Enterprise Edition version 12.2.1.4.0

Description The issue exists due to insufficient input validation in the Analytics Web General component of Oracle Business Intelligence Enterprise Edition. This allows a remote attacker to gain full control over the application via the HTTP protocol. Successful attacks can result in the takeover of Oracle Business Intelligence Enterprise Edition.

Recommendations For version 12.2.1.4.0, consider disabling the BIRemotingServlet to prevent deserialization of untrusted data until a patch is available. Restrict access to the Analytics Web General component to minimize the risk of exploitation. Avoid using the HTTP protocol to access the vulnerable component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.