In January 2022, Oracle published a security advisory for CVE-2022-21346 — a serious vulnerability in Oracle BI Publisher, which is a critical reporting and publishing component of Oracle Fusion Middleware. This flaw affects versions 5.5..., 12.2.1.3., and 12.2.1.4.. What makes CVE-2022-21346 especially dangerous is its simplicity: an attacker doesn't need credentials or to trick a target user. All they need is network access via HTTP.
Read on to understand what the vulnerability is, see code snippets, get links to official sources, and learn how an attack works.
What is CVE-2022-21346?
CVE-2022-21346 is a security bug in the BI Publisher Security component of Oracle BI Publisher. It's classified as "easily exploitable," with a CVSS (Common Vulnerability Scoring System) base score of 7.5 (High), focusing mostly on confidentiality. This means an attacker can steal data but not necessarily modify or delete it.
Availability Impact: None
The official vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Why is it Dangerous?
1. No Authentication: Any Internet (or network) user can attack any Oracle BI Publisher instance directly if it's exposed.
2. Exposes Sensitive Data: Exploitation means stealing reports, stored data sources, and possibly sensitive credentials.
Simple to Exploit: Just an HTTP request — no prior hacking skills required.
4. Critical for Businesses: BI Publisher is used by many organizations for financial, HR, and operational reporting.
How Does the Exploit Work?
While Oracle did not publish full technical details to avoid "weaponizing" the exploit, independent researchers and patch diffing reveal that CVE-2022-21346 stems from a missing or broken access control check on certain URLs or HTTP endpoints.
Simulated Exploit Scenario
Let's break down a possible exploit scenario. Suppose the vulnerability is an IDOR (Insecure Direct Object Reference) or similar, letting outsiders download reports.
Example snipplet (replace SERVER and REPORT_ID)
curl -k "https://SERVER:9704/xmlpserver/DownloadReport?reportId=REPORT_ID";
Oracle BI Publisher, with the vulnerability, sends back the full report. No username or password needed!
More Detailed HTTP Request
GET /xmlpserver/DownloadReport?reportId=001 HTTP/1.1
Host: example-bipublisher.com
User-Agent: Mozilla/5.
Accept: */*
Potential response
HTTP/1.1 200 OK
Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Content-Length: 12456
(binary Excel file begins...)
Typically, backend code should check if the incoming HTTP request is authenticated and authorized
// PSEUDOCODE
if (!user.isAuthenticated()) {
response.sendError(401);
return;
}
In the affected BI Publisher versions, this check is missing or not enforced on some endpoints
// What happens instead
// Attacker request processed directly
return getReport(reportId);
In some cases, find protection misconfigurations or pivot to other sensitive systems
If you run any of the affected BI Publisher versions and your server is internet-facing or even accessible on a corporate LAN, you’re at risk.
Official Oracle Advisory:
Oracle Critical Patch Update Advisory - January 2022
CVE Record Details:
Mitre CVE Record:
Research & Patch Diffing:
tenable.com (example, may not provide PoC)
Summary
CVE-2022-21346 is a critical access control bug in Oracle BI Publisher. It allows any unauthenticated user to access sensitive data simply by making a crafted HTTP request. This is a classic example of why patching and least-privilege network practices are so important. If you use BI Publisher versions 5.5..., 12.2.1.3., or 12.2.1.4., update immediately and audit your systems.
*Stay secure and always keep your business software up to date!*
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 19:00:00 UTC