CVE Vulnerabilities

CVE-2021-2351

Use of a Broken or Risky Cryptographic Algorithm

Published: Jul 21, 2021 | Modified: Feb 16, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
5.1 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: Changes in Native Network Encryption with the July 2021 Critical Patch Update (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Weakness

The product uses a broken or risky cryptographic algorithm or protocol.

Affected Software

Name Vendor Start Version End Version
Advanced_networking_option Oracle 12.1.0.2 12.1.0.2
Advanced_networking_option Oracle 12.2.0.1 12.2.0.1
Advanced_networking_option Oracle 19c 19c
Agile_engineering_data_management Oracle 6.2.1.0 6.2.1.0
Agile_plm Oracle 9.3.6 9.3.6
Agile_product_lifecycle_management_for_process Oracle 6.2.2.0 6.2.2.0
Agile_product_lifecycle_management_for_process Oracle 6.2.3.0 6.2.3.0
Airlines_data_model Oracle 12.1.1.0.0 12.1.1.0.0
Airlines_data_model Oracle 12.2.0.1.0 12.2.0.1.0
Application_performance_management Oracle 13.4.1.0 13.4.1.0
Application_performance_management Oracle 13.5.1.0 13.5.1.0
Application_testing_suite Oracle 13.3.0.1 13.3.0.1
Argus_analytics Oracle 8.2.1 8.2.1
Argus_analytics Oracle 8.2.2 8.2.2
Argus_analytics Oracle 8.2.3 8.2.3
Argus_insight Oracle 8.2.1 8.2.1
Argus_insight Oracle 8.2.2 8.2.2
Argus_insight Oracle 8.2.3 8.2.3
Argus_mart Oracle 8.2.1 8.2.1
Argus_mart Oracle 8.2.2 8.2.2
Argus_mart Oracle 8.2.3 8.2.3
Argus_safety Oracle 8.2.1 8.2.1
Argus_safety Oracle 8.2.2 8.2.2
Argus_safety Oracle 8.2.3 8.2.3
Banking_apis Oracle 18.1 18.3
Banking_apis Oracle 19.1 19.1
Banking_apis Oracle 19.2 19.2
Banking_apis Oracle 20.1 20.1
Banking_apis Oracle 21.1 21.1
Banking_digital_experience Oracle 18.1 18.3
Banking_digital_experience Oracle 17.2 17.2
Banking_digital_experience Oracle 19.1 19.1
Banking_digital_experience Oracle 19.2 19.2
Banking_digital_experience Oracle 20.1 20.1
Banking_digital_experience Oracle 21.1 21.1
Banking_enterprise_default_management Oracle 2.10.0 2.10.0
Banking_enterprise_default_management Oracle 2.12.0 2.12.0
Banking_platform Oracle 2.6.2 2.6.2
Banking_platform Oracle 2.7.1 2.7.1
Banking_platform Oracle 2.12.0 2.12.0
Big_data_spatial_and_graph Oracle * *
Blockchain_platform Oracle 21.1.2 21.1.2
Clinical Oracle 5.2.1 5.2.1
Clinical Oracle 5.2.2 5.2.2
Commerce_platform Oracle 11.3.0 11.3.0
Commerce_platform Oracle 11.3.1 11.3.1
Commerce_platform Oracle 11.3.2 11.3.2
Communications_application_session_controller Oracle 3.9.0 3.9.0
Communications_billing_and_revenue_management Oracle 12.0.0.4 12.0.0.4
Communications_billing_and_revenue_management Oracle 12.0.0.5 12.0.0.5
Communications_calendar_server Oracle 8.0.0.5.0 8.0.0.5.0
Communications_contacts_server Oracle 8.0.0.3.0 8.0.0.3.0
Communications_convergent_charging_controller Oracle 12.0.1.0.0 12.0.4.0.0
Communications_convergent_charging_controller Oracle 6.0.1.0.0 6.0.1.0.0
Communications_data_model Oracle 11.3.2.1.0 11.3.2.1.0
Communications_data_model Oracle 11.3.2.2.0 11.3.2.2.0
Communications_data_model Oracle 11.3.2.3.0 11.3.2.3.0
Communications_data_model Oracle 12.1.0.1.0 12.1.0.1.0
Communications_data_model Oracle 12.1.2.0.0 12.1.2.0.0
Communications_design_studio Oracle 7.3.5 7.3.5
Communications_design_studio Oracle 7.4.0 7.4.0
Communications_design_studio Oracle 7.4.1 7.4.1
Communications_design_studio Oracle 7.4.2 7.4.2
Communications_diameter_intelligence_hub Oracle 8.0.0 8.2.3
Communications_ip_service_activator Oracle 7.4.0 7.4.0
Communications_metasolv_solution Oracle 6.3.1 6.3.1
Communications_network_charging_and_control Oracle 12.0.1.0 12.0.4.0.0
Communications_network_charging_and_control Oracle 6.0.1.0.0 6.0.1.0.0
Communications_network_integrity Oracle 7.3.5 7.3.5
Communications_network_integrity Oracle 7.3.6 7.3.6
Communications_pricing_design_center Oracle 12.0.0.4 12.0.0.4
Communications_pricing_design_center Oracle 12.0.0.5 12.0.0.5
Communications_services_gatekeeper Oracle 7.0 7.0
Communications_session_report_manager Oracle 8.0.0 8.2.5.0
Communications_session_route_manager Oracle 8.2.0 8.2.5
Data_integrator Oracle 12.2.1.3.0 12.2.1.3.0
Data_integrator Oracle 12.2.1.4.0 12.2.1.4.0
Demantra_demand_management Oracle 12.2.6 12.2.11
Documaker Oracle 12.6.2 12.6.4
Documaker Oracle 12.6.0 12.6.0
Documaker Oracle 12.7.0 12.7.0
Enterprise_data_quality Oracle 12.2.1.3.0 12.2.1.3.0
Enterprise_data_quality Oracle 12.2.1.4.0 12.2.1.4.0
Enterprise_manager_base_platform Oracle 13.4.0.0 13.4.0.0
Enterprise_manager_base_platform Oracle 13.5.0.0 13.5.0.0
Enterprise_manager_ops_center Oracle 12.4.0.0 12.4.0.0
Financial_services_analytical_applications_infrastructure Oracle 8.0.7 8.1.1
Financial_services_behavior_detection_platform Oracle 8.0.7 8.0.7
Financial_services_behavior_detection_platform Oracle 8.0.8 8.0.8
Financial_services_behavior_detection_platform Oracle 8.0.11 8.0.11
Financial_services_enterprise_case_management Oracle 8.0.7 8.0.7
Financial_services_enterprise_case_management Oracle 8.0.8 8.0.8
Financial_services_enterprise_case_management Oracle 8.0.11 8.0.11
Financial_services_foreign_account_tax_compliance_act_management Oracle 8.0.7 8.0.7
Financial_services_foreign_account_tax_compliance_act_management Oracle 8.0.8 8.0.8
Financial_services_foreign_account_tax_compliance_act_management Oracle 8.0.11 8.0.11
Financial_services_model_management_and_governance Oracle 8.0.8.0.0 8.1.1.0.0
Financial_services_trade-based_anti_money_laundering Oracle 8.0.7 8.0.7
Financial_services_trade-based_anti_money_laundering Oracle 8.0.8 8.0.8
Flexcube_investor_servicing Oracle 12.0.4 12.0.4
Flexcube_investor_servicing Oracle 12.1.0 12.1.0
Flexcube_investor_servicing Oracle 12.3.0 12.3.0
Flexcube_investor_servicing Oracle 12.4.0 12.4.0
Flexcube_investor_servicing Oracle 14.4.0 14.4.0
Flexcube_investor_servicing Oracle 14.5.0 14.5.0
Flexcube_private_banking Oracle 12.0.0 12.0.0
Flexcube_private_banking Oracle 12.1.0 12.1.0
Fusion_middleware Oracle 12.2.1.3.0 12.2.1.3.0
Fusion_middleware Oracle 12.2.1.4.0 12.2.1.4.0
Goldengate Oracle * *
Goldengate Oracle 19.1.0.0.1 *
Goldengate_application_adapters Oracle * *
Graph_server_and_client Oracle * *
Health_sciences_clinical_development_analytics Oracle 4.0.1 4.0.1
Health_sciences_inform_crf_submit Oracle 6.2.1 6.2.1
Health_sciences_information_manager Oracle 3.0.2 3.0.2
Health_sciences_information_manager Oracle 3.0.3 3.0.3
Healthcare_data_repository Oracle 7.0.2 7.0.2
Healthcare_data_repository Oracle 8.1.0 8.1.0
Healthcare_data_repository Oracle 8.1.1 8.1.1
Healthcare_foundation Oracle 7.3.0 7.3.0.2
Healthcare_foundation Oracle 8.0.0 8.0.2
Healthcare_foundation Oracle 8.1.0 8.1.1
Healthcare_translational_research Oracle 4.1.0 4.1.0
Hospitality_inventory_management Oracle * *
Hospitality_inventory_management Oracle 9.1.0 9.1.0
Hospitality_opera_5 Oracle 5.6 5.6
Hospitality_reporting_and_analytics Oracle 9.1.0 9.1.0
Hospitality_suite8 Oracle 8.10.2 8.10.2
Hospitality_suite8 Oracle 8.11.0 8.11.0
Hospitality_suite8 Oracle 8.12.0 8.12.0
Hospitality_suite8 Oracle 8.13.0 8.13.0
Hospitality_suite8 Oracle 8.14.0 8.14.0
Hyperion_infrastructure_technology Oracle 11.2.7.0 11.2.7.0
Ilearning Oracle 6.2 6.2
Ilearning Oracle 6.3 6.3
Instantis_enterprisetrack Oracle 17.1 17.1
Instantis_enterprisetrack Oracle 17.2 17.2
Instantis_enterprisetrack Oracle 17.3 17.3
Insurance_data_gateway Oracle 11.0.2 11.0.2
Insurance_data_gateway Oracle 11.1.0 11.1.0
Insurance_data_gateway Oracle 11.2.7 11.2.7
Insurance_data_gateway Oracle 11.3.0 11.3.0
Insurance_data_gateway Oracle 11.3.1 11.3.1
Insurance_insbridge_rating_and_underwriting Oracle 5.4 5.6.0
Insurance_insbridge_rating_and_underwriting Oracle 5.2.0 5.2.0
Insurance_policy_administration Oracle 11.0.2 11.0.2
Insurance_policy_administration Oracle 11.1.0 11.1.0
Insurance_policy_administration Oracle 11.2.7 11.2.7
Insurance_policy_administration Oracle 11.3.0 11.3.0
Insurance_policy_administration Oracle 11.3.1 11.3.1
Insurance_rules_palette Oracle 11.0.2 11.0.2
Insurance_rules_palette Oracle 11.1.0 11.1.0
Insurance_rules_palette Oracle 11.2.7 11.2.7
Insurance_rules_palette Oracle 11.3.0 11.3.0
Insurance_rules_palette Oracle 11.3.1 11.3.1
Jd_edwards_enterpriseone_tools Oracle 9.2.6.3 9.2.6.3
Oss_support_tools Oracle * *
Peoplesoft_enterprise_peopletools Oracle 8.57 8.57
Peoplesoft_enterprise_peopletools Oracle 8.58 8.58
Peoplesoft_enterprise_peopletools Oracle 8.59 8.59
Policy_automation Oracle 12.2.0 12.2.24
Primavera_analytics Oracle 18.8.3.3 18.8.3.3
Primavera_analytics Oracle 19.12.11.1 19.12.11.1
Primavera_analytics Oracle 20.12.12.0 20.12.12.0
Primavera_data_warehouse Oracle 18.8.3.3 18.8.3.3
Primavera_data_warehouse Oracle 19.12.11.1 19.12.11.1
Primavera_data_warehouse Oracle 20.12.12.0 20.12.12.0
Primavera_gateway Oracle 17.12.0 17.12.11
Primavera_gateway Oracle 18.8.0 18.8.12
Primavera_gateway Oracle 19.12.0 19.12.11
Primavera_gateway Oracle 20.12.0 20.12.7
Primavera_p6_enterprise_project_portfolio_management Oracle 17.12.0.0 17.12.20
Primavera_p6_enterprise_project_portfolio_management Oracle 18.8.0.0 18.8.24
Primavera_p6_enterprise_project_portfolio_management Oracle 19.12.0.0 19.12.17.0
Primavera_p6_enterprise_project_portfolio_management Oracle 20.12.0.0 20.12.9.0
Primavera_p6_professional_project_management Oracle 17.12 17.12.20.0
Primavera_p6_professional_project_management Oracle 18.8 18.8.24.0
Primavera_p6_professional_project_management Oracle 19.12.0.0 19.12.17.0
Primavera_p6_professional_project_management Oracle 20.12.0.0 20.12.9.0
Primavera_unifier Oracle 17.7 17.12
Primavera_unifier Oracle 18.8 18.8
Primavera_unifier Oracle 19.12 19.12
Primavera_unifier Oracle 20.12 20.12
Primavera_unifier Oracle 21.12 21.12
Product_lifecycle_analytics Oracle 3.6.1 3.6.1
Rapid_planning Oracle 12.2.6 12.2.11
Real_user_experience_insight Oracle 13.4.1.0 13.4.1.0
Real_user_experience_insight Oracle 13.5.1.0 13.5.1.0
Retail_analytics Oracle 16.0.0 16.0.2
Retail_assortment_planning Oracle 16.0.3 16.0.3
Retail_back_office Oracle 14.1 14.1
Retail_central_office Oracle 14.1 14.1
Retail_customer_insights Oracle 16.0 16.0.2
Retail_extract_transform_and_load Oracle 13.2.8 13.2.8
Retail_financial_integration Oracle 14.1.3.2 14.1.3.2
Retail_financial_integration Oracle 15.0.3.1 15.0.3.1
Retail_financial_integration Oracle 16.0.3.0 16.0.3.0
Retail_financial_integration Oracle 19.0.1 19.0.1
Retail_integration_bus Oracle 14.1.3.2 14.1.3.2
Retail_integration_bus Oracle 15.0.3.1 15.0.3.1
Retail_integration_bus Oracle 16.0.3 16.0.3
Retail_integration_bus Oracle 19.0.1 19.0.1
Retail_merchandising_system Oracle 19.0.1 19.0.1
Retail_order_broker Oracle 16.0 16.0
Retail_order_broker Oracle 18.0 18.0
Retail_order_broker Oracle 19.1 19.1
Retail_order_management_system Oracle 19.5 19.5
Retail_point-of-service Oracle 14.1 14.1
Retail_predictive_application_server Oracle 14.1.3 14.1.3
Retail_predictive_application_server Oracle 15.0.3 15.0.3
Retail_predictive_application_server Oracle 16.0.3 16.0.3
Retail_price_management Oracle 14.1 14.1
Retail_price_management Oracle 15.0 15.0
Retail_price_management Oracle 16.0 16.0
Retail_returns_management Oracle 14.1 14.1
Retail_service_backbone Oracle 14.1.3.2 14.1.3.2
Retail_service_backbone Oracle 15.0.3.1 15.0.3.1
Retail_service_backbone Oracle 16.0.3 16.0.3
Retail_service_backbone Oracle 19.0.1 19.0.1
Retail_store_inventory_management Oracle 14.1 14.1
Retail_store_inventory_management Oracle 15.0 15.0
Retail_store_inventory_management Oracle 16.0 16.0
Retail_xstore_point_of_service Oracle 17.0.4 17.0.4
Retail_xstore_point_of_service Oracle 18.0.3 18.0.3
Retail_xstore_point_of_service Oracle 19.0.2 19.0.2
Retail_xstore_point_of_service Oracle 20.0.1 20.0.1
Siebel_ui_framework Oracle * 21.12
Spatial_studio Oracle * *
Storagetek_acsls Oracle 8.5.1 8.5.1
Storagetek_tape_analytics Oracle 2.4 2.4
Thesaurus_management_system Oracle 5.2.3 5.2.3
Thesaurus_management_system Oracle 5.3.0 5.3.0
Thesaurus_management_system Oracle 5.3.1 5.3.1
Timesten_in-memory_database Oracle * *
Timesten_in-memory_database Oracle 21.1.1.1.0 21.1.1.1.0
Utilities_framework Oracle 4.3.0.1.0 4.3.0.6.0
Utilities_framework Oracle 4.2.0.3.0 4.2.0.3.0
Utilities_framework Oracle 4.4.0.0.0 4.4.0.0.0
Utilities_framework Oracle 4.4.0.2.0 4.4.0.2.0
Utilities_framework Oracle 4.4.0.3.0 4.4.0.3.0
Utilities_testing_accelerator Oracle 6.0.0.1.1 6.0.0.1.1
Utilities_testing_accelerator Oracle 6.0.0.2.2 6.0.0.2.2
Utilities_testing_accelerator Oracle 6.0.0.3.1 6.0.0.3.1
Weblogic_server Oracle 12.2.1.3.0 12.2.1.3.0
Weblogic_server Oracle 12.2.1.4.0 12.2.1.4.0
Weblogic_server Oracle 14.1.1.0.0 14.1.1.0.0
Zfs_storage_application_integration_engineering_software Oracle 1.3.3 1.3.3

Extended Description

Cryptographic algorithms are the methods by which data is scrambled to prevent observation or influence by unauthorized actors. Insecure cryptography can be exploited to expose sensitive information, modify data in unexpected ways, spoof identities of other users or devices, or other impacts. It is very difficult to produce a secure algorithm, and even high-profile algorithms by accomplished cryptographic experts have been broken. Well-known techniques exist to break or weaken various kinds of cryptography. Accordingly, there are a small number of well-understood and heavily studied algorithms that should be used by most products. Using a non-standard or known-insecure algorithm is dangerous because a determined adversary may be able to break the algorithm and compromise whatever data has been protected. Since the state of cryptography advances so rapidly, it is common for an algorithm to be considered “unsafe” even if it was once thought to be strong. This can happen when new attacks are discovered, or if computing power increases so much that the cryptographic algorithm no longer provides the amount of protection that was originally thought. For a number of reasons, this weakness is even more challenging to manage with hardware deployment of cryptographic algorithms as opposed to software implementation. First, if a flaw is discovered with hardware-implemented cryptography, the flaw cannot be fixed in most cases without a recall of the product, because hardware is not easily replaceable like software. Second, because the hardware product is expected to work for years, the adversary’s computing power will only increase over time.

Potential Mitigations

  • When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis.
  • For example, US government systems require FIPS 140-2 certification [REF-1192].
  • Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak.
  • Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]
  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.

References