CVE-2023-22075 - Unauthorized Partial Denial of Service Vulnerability in Oracle Database Sharding Component

The Common Vulnerabilities and Exposures (CVE) database has recently reported a vulnerability with the identifier CVE-2023-22075. This vulnerability affects the Sharding component of Oracle Database Server, which is a popular enterprise-grade database management system. Specifically, the vulnerability is present in versions 19.3-19.20 and 21.3-21.11 of the Oracle Database Server.

The vulnerability is considered easily exploitable and can be abused by a highly privileged attacker with the Create Session, Create Any View, and Select Any Table privileges. The attacker would also require network access to the target via Oracle Net. The successful exploitation of this vulnerability would allow the attacker to cause a partial denial of service (partial DOS) to the Oracle Database Sharding component, potentially affecting the availability and performance of the server.

This post will provide a brief description of the vulnerability, along with an example code snippet, links to original references, and details about the potential exploit.

Vulnerability Details

CVE Identifier: CVE-2023-22075
CVSS 3.1 Base Score: 2.4 (Availability impacts)
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L)

Oracle Database Server versions affected: 19.3-19.20 and 21.3-21.11
Vulnerable component: Oracle Database Sharding
Impact: Unauthorized partial denial of service (partial DOS) of Oracle Database Sharding

Code Snippet

The following code snippet demonstrates a possible attack vector for the CVE-2023-22075 vulnerability in an Oracle Database Sharding environment:

/* Attackers with Create Session, Create Any View and Select Any Table privileges */
CREATE SESSION attacker_session;
GRANT CREATE ANY VIEW TO attacker_session;
GRANT SELECT ANY TABLE TO attacker_session;

/* Exploit the vulnerability */
DECLARE
  v_dos_trigger VARCHAR2(100) := 'YOUR_DOS_TRIGGER_CODE_HERE';
BEGIN
  EXECUTE IMMEDIATE 'CREATE OR REPLACE VIEW vulnerable_view AS SELECT * FROM sharded_table';
  DBMS_SCHEDULER.create_job(
    job_name => 'vulnerable_job',
    job_type => 'PLSQL_BLOCK',
    job_action => 'BEGIN ' || v_dos_trigger || '; END;',
    start_date => SYSTIMESTAMP,
    repeat_interval => 'FREQ=SECONDLY; INTERVAL=1',
    enabled => TRUE
  );
END;
/

Original References and Additional Information

For more details about the CVE-2023-22075 vulnerability, as well as its potential impact on the Oracle Database Server and recommendations for mitigation, please refer to the following resources:

1. CVE-2023-22075 in the NIST National Vulnerability Database
2. Oracle Critical Patch Update Advisory
3. Oracle Database Sharding Documentation

Exploit Notes

Please note that the successful exploitation of CVE-2023-22075 requires human interaction from a person other than the attacker. Additionally, the vulnerability is limited to affecting the availability aspect of the CIA triad (confidentiality, integrity, and availability). The successful exploitation does not grant the attacker any ability to access, modify, or exfiltrate data from the compromised sharded tables.

Administrators are strongly advised to apply the relevant Oracle patches and mitigation measures to safeguard their environments from potential exploitation of the CVE-2023-22075 vulnerability. It is also recommended to follow the principle of least privilege, granting users the minimal required permissions for their roles to reduce potential attack surfaces.

Timeline

Published on: 10/17/2023 22:15:13 UTC
Last modified on: 10/23/2023 18:23:12 UTC