CVE-2023-22073 - Unauthenticated Read Access Vulnerability in Oracle Notification Server (Versions 19.3-19.20 and 21.3-21.11)

A critical vulnerability has been identified in the Oracle Notification Server component of Oracle Database Server. The vulnerability, known as CVE-2023-22073, affects supported versions ranging from 19.3 to 19.20 and 21.3 to 21.11.

An unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle Notification Server is executed can exploit this vulnerability. Successful exploitation could lead to unauthorized read access to a subset of Oracle Notification Server accessible data.

The vulnerability has been assigned a CVSS 3.1 Base Score of 4.3, primarily impacting Confidentiality. The associated CVSS Vector is as follows: (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Original References

Oracle has published an official security bulletin acknowledging the vulnerability and providing recommendations for users:

- Oracle Critical Patch Update Advisory - January 2023

Exploit Details

While specific details about the exploit have not been publicly disclosed, it is important for organizations using affected Oracle Database Server versions to implement appropriate security measures to protect their data.

The following code snippet demonstrates an example of an Oracle Notification Server configuration that could potentially be at risk for this type of vulnerability:

<notificationServer>
  <config>
    <parameter name="port" value="4444"/>
    <parameter name="dbconnections" value="5"/>
    <parameter name="maxconnections" value="50"/>
    <parameter name="userpassword" value="password123"/>
  </config>
</notificationServer>

Recommended Actions

Organizations using the Oracle Notification Server component of Oracle Database Server should take the following steps to mitigate the risk associated with CVE-2023-22073:

1. Review the Oracle Critical Patch Update Advisory - January 2023 to determine if your Oracle Database Server installations are affected.

2. Apply the necessary security patches provided by Oracle as soon as possible to address the vulnerability.

3. Implement network segmentation and access controls to limit the potential attack surface associated with the Oracle Notification Server component.

4. Regularly monitor system logs and other security monitoring tools for any signs of unauthorized access or suspicious activity related to the Oracle Notification Server component.

5. Keep abreast of any new information or updates related to CVE-2023-22073 through official Oracle security bulletins and other reliable sources.

Conclusion

Organizations using Oracle Database Server with affected versions of the Oracle Notification Server component should immediately assess their risk and take appropriate actions to protect their data. Applying the security patches, implementing additional security measures, and staying informed about the vulnerability will help organizations safeguard their information from potential exploitation.

Timeline

Published on: 10/17/2023 22:15:12 UTC
Last modified on: 10/23/2023 18:20:40 UTC