Oracle Cloud Breach – CVE-2021-35587: AccuKnox CNAPP

On March 21, 2025, a massive supply chain breach hit Oracle Cloud, exposing 6 million records across 140,000 tenants. The threat actor “rose87168” exploited a login endpoint, likely using CVE-2021-35587, a critical vulnerability in Oracle Access Manager within Fusion Middleware 11G. Stolen data included Java KeyStore (JKS) files, encrypted SSO passwords, and Enterprise Manager JPS keys, now for sale on dark web forums. The attacker demanded a ransom of 100,000 Monero—over $200 million—from Oracle, which reportedly refused, leading to data leaks.

This incident underscores the risks of unauthorized access, credential compromise, and supply chain infiltration. How could this have been prevented, and what can be done now? Let’s explore how AccuKnox CNAPP could have mitigated this breach and how it can help remediate the fallout.

Preventing the Breach with AccuKnox CNAPP

The Oracle Cloud breach exploited a known vulnerability, CVE-2021-35587, in an outdated system. AccuKnox CNAPP could have prevented this through proactive security measures across multiple layers.

1. AccuKnox’s Identity and Access Management (IAM) capabilities enforce strict access controls. By applying the principle of least privilege, they ensure that only authorized processes access sensitive resources like SSO credentials. For instance, in Oracle Cloud environments, AccuKnox, available via the Oracle Cloud Marketplace, could have restricted access to the vulnerable login endpoint, reducing the attack surface.
2. AccuKnox’s Privilege Escalation prevention would have blocked unauthorized attempts to gain higher privileges. CVE-2021-35587 allowed unauthenticated attackers to execute remote code and take over Oracle Access Manager. AccuKnox’s runtime security, powered by KubeArmor, monitors for suspicious behavior and blocks privilege escalation attempts in real-time, as detailed in our approach to zero-day attacks.
3. Container Drift Detection could have identified unauthorized changes in the Oracle Cloud environment. If the attacker modified container configurations to exploit the vulnerability, AccuKnox would have flagged these drifts, preventing the breach from progressing. This feature ensures containers adhere to predefined security policies, a critical step for cloud-native setups.
4. For Virtual Machine (VM) Security, AccuKnox scans for misconfigurations and vulnerabilities in VMs, which could have detected the outdated Fusion Middleware 11G instance. Its On-Premise Security support, ideal for air-gapped environments, ensures even isolated systems are protected through continuous monitoring and policy enforcement.
5. AccuKnox also excels in securing Secrets Manager, a key factor in this breach. The exposed JKS files and SSO passwords highlight the need for robust secrets management. AccuKnox integrates with tools like HashiCorp Vault to secure secrets, ensuring they are encrypted and accessible only to authorized processes. This could have prevented the attacker from accessing sensitive authentication data.

No matter your setup, our secret scanning ensures protection exactly where it matters most.

Remediating Post-Breach with AccuKnox CNAPP

The breach has already happened—now what? AccuKnox CNAPP offers practical steps to remediate the damage and prevent recurrence.

1. Start with Secrets Scanning to identify and secure exposed credentials. AccuKnox’s secrets scanning capabilities, integrated with tools like GitLab, can scan repositories for leaked SSO passwords or JKS files, ensuring they are rotated immediately. This aligns with the recommendation to regenerate certificates and secrets post-breach.
2. Next, use AccuKnox’s runtime protection to monitor for suspicious activity. Its observability features can audit LDAP logs for unauthorized access, a critical step in detecting ongoing threats. For instance, AccuKnox’s KnoxGuard for supply chain security can trace the attack’s entry point, identifying compromised integrations or third-party services.
3. For credential compromise, AccuKnox’s IAM and privilege escalation controls can enforce multi-factor authentication (MFA) and least privilege policies, ensuring attackers can’t misuse stolen credentials. Its integration with Oracle Cloud Marketplace allows seamless deployment to rotate tenant-level credentials and update SASL hashes, as recommended.
4. Finally, AccuKnox’s continuous monitoring strengthens access controls and custom reporting, preventing future breaches. Its zero-trust approach, detailed in the secrets management video, ensures all access is verified, reducing the risk of supply chain attacks like this one.

Consuming AccuKnox via Oracle Marketplace

AccuKnox offers a comprehensive Zero-Trust CNAPP platform designed to secure modern cloud-native and traditional workloads, including Kubernetes, Serverless, Virtual Machines, Bare Metal, IoT/Edge, and 5G. With 15+ patents and an open-source, DevSecOps-led model, we integrate Cloud Security and AI/ML-driven Anomaly Detection to provide both Static and Runtime Security.

Our Cloud Workload Protection Platform (CWPP) delivers robust runtime security for applications and workloads on Oracle Kubernetes Engine (OKE). It integrates seamlessly with OCI to offer vulnerability scanning, runtime protection, and continuous monitoring, ensuring complete visibility into security posture, detecting misconfigurations, and preventing threats before they escalate.

1. Visit Oracle Cloud Marketplace and search for AccuKnox. Select “AccuKnox – Build to Runtime Security” and click “Get App” to start the onboarding process.

2. Provide the required details, and our support team will guide you through the setup.

“We are thrilled to announce that AccuKnox has partnered with Oracle Cloud Marketplace during the initial phase of SaaS delivery. AccuKnox’s impressive CNAPP solutions have already demonstrated immense value to Oracle customers, and we anticipate exponential growth in the coming months. Thank you for being a critical partner in our SaaS Delivery pilot phase. Together, we are poised to achieve remarkable success!”
– Jordan Oliver, Product Manager, Oracle Cloud Marketplace

Learning from Zero-Day Threats

The Oracle breach may have involved a zero-day exploit, a growing concern in cloud environments. AccuKnox’s blog on zero-day attacks highlights how its CNAPP uses automated vulnerability scanning and threat detection to mitigate such risks, offering a proactive defense against unknown vulnerabilities.

• Prevent privilege escalation by enforcing least privilege with AccuKnox’s IAM, reducing unauthorized access risks.
• Detect container drift early with AccuKnox’s runtime monitoring, ensuring configurations remain secure.
• Secure secrets like JKS files using AccuKnox’s integration with HashiCorp Vault, preventing credential leaks.
• Strengthen VM and on-premise security with continuous scanning, catching vulnerabilities before exploitation.
• Remediate breaches by scanning for exposed secrets and monitoring for suspicious activity, ensuring quick recovery.

🗙

Taming Dark AI with AccuKnox

Modern AI Threats and Zero Trust Mitigation.

Learn more

AccuKnox CNAPP provides a robust framework to both prevent and remediate incidents like the Oracle Cloud breach, helping organizations stay resilient in a shared responsibility model.

You can protect your workloads and achieve runtime security using AccuKnox. AccuKnox CNAPP secures your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF. Reach out to us for additional guidance in planning your cloud security program.