Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)
Description
Oracle Access Manager versions affected by CVE-2021-35587 contain a critical insecure deserialization vulnerability in the OpenSSO Agent component. This flaw allows unauthenticated remote attackers to send maliciously crafted serialized Java objects to the server, which are processed without proper validation. Successful exploitation enables arbitrary code execution with the privileges of the application server, potentially leading to complete system compromise.
Remediation
Apply security patches immediately by following these steps:
1. Identify Affected Versions:
Review your Oracle Access Manager deployment to confirm if you are running a vulnerable version. Consult Oracle's Critical Patch Update Advisory (January 2022) for the complete list of affected versions.
2. Apply Oracle Security Patches:
Download and install the latest Critical Patch Update from Oracle Support (My Oracle Support). Follow Oracle's patch installation documentation specific to your version and deployment architecture.
3. Interim Mitigation (if immediate patching is not possible):
• Restrict network access to the OpenSSO Agent component using firewall rules or network segmentation
• Implement Web Application Firewall (WAF) rules to detect and block suspicious serialized object patterns
• Monitor logs for unusual deserialization activity or unexpected DNS queries
4. Verification:
After patching, verify the fix by rescanning the system and confirming that deserialization endpoints no longer process untrusted data without validation.
5. Post-Remediation:
Review application logs for any indicators of prior exploitation and conduct a security assessment of potentially compromised systems.