Cybersecurity specialists reported the finding of multiple vulnerabilities in Oracle Database Server. According to the report, successful exploitation of these flaws would allow threat actors to bypass security measures in the affected systems.
Below is a brief report of the flaws detected, in addition to their respective identification keys and scores assigned by the Common Vulnerability Scoring System (CVSS).
CVE-2021-2326: An improper input validation within the Database Vault in the affected application would allow remote users with high privileges to exploit the flaw and gain access to confidential information.
The flaw received a CVSS score of 2.4/10.
CVE-2021-2336: The improper input validation within the Oracle Database – Enterprise Edition Data Redaction would allow remote authenticated users to exploit this vulnerability and manipulate sensitive data.
This flaw received a score of 3.1/10.
CVE-2021-2335: The improper input validation within the Oracle Database – Enterprise Edition Data Redaction would allow remote threat actors to manipulate compromised data.
The flaw received a CVSS score of 3.1/10.
CVE-2021-2334: The incorrect input validation within the Oracle Database – Enterprise Edition Data Redaction allows remote authenticated users to exploit this vulnerability.
This flaw received a score of 3.1/10 and its exploitation allows hackers to manipulate sensitive data.
CVE-2021-2438: The improper input validation within the Java VM in Oracle Database Server allows remote threat actors to perform a service disruption condition.
The vulnerability received a CVSS score of 3.8/10.
CVE-2020-7760: The affected application applies an improper control consumption of internal resources when processing regular expressions.
The flaw received a 6.5/10 CVSS score and would allow remote threat actors to deploy denial of service (DoS) attacks.
CVE-2021-2330: The improper input validation within the Core RDBMS in Oracle Database Server allows remote threat actors to exploit the flaw to generate a service disruption.
The flaw received a CVSS score of 3.8/10.
CVE-2019-17545: A boundary error within the OGRExpatRealloc() function in ogr/ogr_expat.cpp would allow remote attackers to pass a large amount of data to the affected application.
The vulnerability received a 7.7/10 score and its exploitation would allow remote malicious hackers to run arbitrary code on the affected system.
CVE-2021-2333: The improper input validation within the Oracle XML DB in Oracle Database Server allows remote hackers to access sensitive information on the affected system.
This flaw received a 7.7/10 CVSS score.
CVE-2021-2337: The improper input validation within the Oracle XML DB in Oracle Database Server allows remote privileged users to exploit this vulnerability and run arbitrary code on the target system.
The flaw received a 6.3/10 CVSS score.
CVE-2021-2329: The incorrect input validation within Oracle XML DB would allow remote privileged users to exploit the flaw and run arbitrary code on the target system.
The vulnerability received a CVSS score of 6.3/10.
CVE-2021-2328: The improper input validation within the Oracle Text in Oracle Database Server allows remote privileged users to exploit this vulnerability and run arbitrary code.
The vulnerability received a CVSS score of 6.3/10.
CVE-2021-2351: The improper input validation within the Advanced Networking Option in the affected application to run remote non-authenticated attackers to run arbitrary code.
The vulnerability received a CVSS score of 7.2/10.
These flaws reside in the following versions of Oracle Database Server: 12.1.0.2, 12.2.0.1 and 19c.
The vulnerability can be exploited by remote non-authenticated threat actors by sending specially crafted requests to the affected application to complete a successful attack. Nonetheless, cybersecurity specialists are not aware of any evidence of active exploitation.
Security patches to address the flaws are already available, so Oracle recommends affected implementations’ users to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.