{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright © Oracle. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp" } }, "lang": "en", "publisher": { "category": "vendor", "name": "Oracle", "namespace": "https://www.oracle.com" }, "references": [ { "summary": "URL to html version of Advisory", "url": "https://www.oracle.com/security-alerts/alert-cve-2026-21992.html" }, { "category": "self", "summary": "URL to CSAF version of Advisory", "url": "https://www.oracle.com/docs/tech/security-alerts/cve-2026-21992csaf.json" } ], "title": "Oracle Security Alert for CVE-2026-21992 - Oracle CSAF", "tracking": { "current_release_date": "2026-03-19T12:00:00-07:00", "id": "CVE-2026-21992csaf", "initial_release_date": "2026-03-19T18:00:00-07:00", "revision_history": [ { "date": "2026-03-19T19:00:00-07:00", "number": "1", "summary": "Initial Release" }, { "date": "2026-03-19T12:00:00-07:00", "number": "2", "summary": "Rev 2. Added note" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "Oracle Identity Manager Version 12.2.1.4.0", "product": { "name": "Oracle Identity Manager Version 12.2.1.4.0", "product_id": "P-1980V-12.2.1.4.0", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "Oracle Identity Manager Version 14.1.2.1.0", "product": { "name": "Oracle Identity Manager Version 14.1.2.1.0", "product_id": "P-1980V-14.1.2.1.0", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Identity Manager" }, { "branches": [ { "category": "product_version", "name": "Oracle Web Services Manager Version 12.2.1.4.0", "product": { "name": "Oracle Web Services Manager Version 12.2.1.4.0", "product_id": "P-1775V-12.2.1.4.0", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:web_services_manager:12.2.1.4.0:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "Oracle Web Services Manager Version 14.1.2.1.0", "product": { "name": "Oracle Web Services Manager Version 14.1.2.1.0", "product_id": "P-1775V-14.1.2.1.0", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:web_services_manager:14.1.2.1.0:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Web Services Manager" } ], "category": "product_family", "name": "Oracle Fusion Middleware" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-21992", "ids": [ { "system_name": "Oracle Bug ID of Oracle Identity Manager", "text": "38965612" }, { "system_name": "Oracle Bug ID of Oracle Web Services Manager", "text": "39023318" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services Manager. Successful attacks of this vulnerability can result in takeover of Oracle Web Services Manager. Note: Oracle Web Services Manager is installed with an Oracle Fusion Middleware Infrastructure. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" }, { "category": "description", "text": "Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-1775V-12.2.1.4.0", "P-1980V-14.1.2.1.0", "P-1980V-12.2.1.4.0", "P-1775V-14.1.2.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-1775V-12.2.1.4.0", "P-1980V-14.1.2.1.0", "P-1980V-12.2.1.4.0", "P-1775V-14.1.2.1.0" ], "url": "https://support.oracle.com/rs?type=doc&id=KB878741" } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-1775V-12.2.1.4.0", "P-1980V-14.1.2.1.0", "P-1980V-12.2.1.4.0", "P-1775V-14.1.2.1.0" ] } ] } ] }