CVE-2023-22074 - Vulnerability in Oracle Database Sharding Component

A newly discovered vulnerability (CVE-2023-22074) affects Oracle Database Server's Sharding component, particularly the versions 19.3-19.20 and 21.3-21.11. This vulnerability allows a high privileged attacker with the Create Session and Select Any Dictionary privilege and network access via Oracle Net to compromise Oracle Database Sharding. It's important to note that successful attacks require human interaction from a person other than the attacker. The successful exploitation of this vulnerability can result in the unauthorized ability to cause a partial denial of service (partial DOS) on the Oracle Database Sharding component.

Details of the Vulnerability

A high privileged attacker can exploit the vulnerability by gaining network access via Oracle Net to compromise the vulnerable Oracle Database Sharding component. This can be done by sending malicious code through the network, possibly in the form of a malformed request to Oracle Net. The vulnerability allows attackers to cause a partial denial of service if the attack is successful.

The vulnerability has a CVSS 3.1 Base Score of 2.4, impacting the availability of the Oracle Database Sharding component. The CVSS Vector is: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L).

Code Snippet

Although the specific vulnerable code in the Oracle Database Sharding component has not been released, a possible exploitation scenario could be as follows:

import socket

def exploit(host, port):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        payload = 'MALFORMED_PAYLOAD'
        s.send(payload.encode())
        s.close()
        return "Exploit sent. Check the server for effects."
    except Exception as e:
        return f"Error: {str(e)}"

target_host = '192.168.1.1'
target_port = 1234
response = exploit(target_host, target_port)
print(response)

This code snippet demonstrates a possible approach for connecting to the Sharding component on an Oracle Database Server through a socket connection, then attempting to send a malicious payload.

Original References

For more details regarding the CVE-2023-22074, Oracle has published the following resources/reference links:

1. CVE-2023-22074 - Vulnerability in Oracle Database Sharding Component
2. Oracle Critical Patch Update Advisory - October 2022
3. National Vulnerability Database (NVD) -CVE-2023-22074

Conclusion

Oracle Database users must remain cautious and consider applying security updates to address the CVE-2023-22074. Oracle has released a Critical Patch Update (CPU) in October 2022 to resolve this vulnerability. Users should be vigilant when granting privileges to users on the Oracle Database Server and should restrict network access to untrusted sources. Due to the potential for a successful attack to cause a partial denial of service, it is imperative to keep Oracle Database Sharding components up to date with the most recent security patches and follow recommended guidelines for the secure deployment of the Oracle Database.

Timeline

Published on: 10/17/2023 22:15:13 UTC
Last modified on: 10/26/2023 17:15:08 UTC