● Critical · CVSS 9.8 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2021-35587: Oracle Access Manager Unauthenticated RCE

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.8, Critical
Actively exploited?	Yes, listed in CISA KEV
Affected	Oracle Access Manager (component of Oracle Fusion Middleware) 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
Fixed in	Apply Oracle CPU October 2021 or any later quarterly CPU
Type (CWE)	Unauthenticated Remote Code Execution

⚠️ OAM is the SSO authority for Oracle environments. Compromise means every Oracle-integrated app inherits the breach.

What is CVE-2021-35587?

Oracle Access Manager (OAM) is the single sign-on broker for Oracle Fusion Middleware environments, Forms, Reports, WebCenter, Identity Manager, custom apps that delegate authentication to OAM. The vulnerability lets an unauthenticated remote attacker take complete control of OAM via a crafted request.

Once an attacker controls OAM, they can issue valid authentication tokens for any application that trusts OAM, bypassing the actual authentication for all integrated services. That's an organization-wide identity compromise.

Am I affected?

You are affected if you run Oracle Access Manager at:

11.1.2.3.0 (any Bundle Patch below the October 2021 CPU)
12.2.1.3.0 (any Bundle Patch below the October 2021 CPU)
12.2.1.4.0 (any Bundle Patch below the October 2021 CPU)

Check OAM version via the OAM Console → About Oracle Access Manager, or via the registry of installed patches in OAM's OPatch utility.

How to fix CVE-2021-35587

Open the Oracle Critical Patch Update Advisory, October 2021 and identify the OAM Bundle Patch.
Download the Bundle Patch from My Oracle Support.
Stop the WebLogic Admin Server and OAM Managed Servers for the OAM domain.
Apply the patch via OPatch following Oracle's documented OAM patching procedure.
Run any required post-install configuration scripts documented in the patch readme.
Restart the OAM servers and verify version.

Apply the latest cumulative CPU rather than just the October 2021 fix, newer CPUs include this fix plus dozens of subsequent OAM security updates.

Patch via your OS package manager


# The exact package name and patched version are listed in the vendor advisory:
# https://www.oracle.com/security-alerts/cpujan2022.html
# Debian / Ubuntu
sudo apt update
sudo apt install --only-upgrade accessmanager

# RHEL / Rocky / AlmaLinux / Fedora
sudo dnf upgrade accessmanager

# openSUSE
sudo zypper update accessmanager

# Verify the running version matches the fixed version
dpkg -s accessmanager 2>/dev/null | grep -i version || rpm -q accessmanager 2>/dev/null


# Windows: pull the cumulative update that ships this fix.
Install-Module PSWindowsUpdate -Force -SkipPublisherCheck
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://www.oracle.com/security-alerts/cpujan2022.html
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2021-35587 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Restrict OAM admin and protected-resource endpoints to internal traffic at the perimeter.
Increase logging on OAM and watch for unauthenticated requests to admin paths.

How to verify the fix worked

OPatch inventory shows the applied Bundle Patch level.
Run an authenticated vulnerability scan against OAM. CVE-2021-35587 detection should clear.

Frequently asked questions

Is CVE-2021-35587 actively exploited?

Yes. CVE-2021-35587 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2021-35587?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://www.oracle.com/security-alerts/cpuoct2021.html

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official Oracle CPU October 2021: https://www.oracle.com/security-alerts/cpuoct2021.html
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-35587
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the Oracle CPU October 2021 advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the Oracle CPU advisory before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2026-34308: MySQL Server (Bundle Sibling) — MySQL Server (Bundle Sibling)
How to Fix CVE-2026-35253: Origin Validation Error in Oracle Macaron Tool of Oracle Open Source Projects — Origin Validation Error in Oracle Macaron Tool of Oracle Open Source Projects
How to Fix CVE-2026-34310: Oracle Financial Services Analytical Applications Infrastructure (Bundle Sibling) , Oracle Financial Services Analytical Applications Infrastructure (Bundle Sibling)
How to Fix CVE-2026-21975: Critical Vulnerability in Oracle Database Server , Critical Vulnerability in Oracle Database Server
How to Fix CVE-2026-34277: PeopleSoft Enterprise PeopleTools (Bundle Sibling) , PeopleSoft Enterprise PeopleTools (Bundle Sibling)