Description Preview
Overview
This vulnerability exists in the Java VM component of Oracle Database Server and affects multiple versions (12.1.0.2, 12.2.0.1, and 19c). It is considered easily exploitable by attackers who possess the Create Procedure privilege and can access the database via Oracle Net. The main impact is on availability, as successful exploitation allows attackers to cause partial denial of service of the Java VM component. The vulnerability does not impact confidentiality or integrity of the system. With a CVSS score of 4.3, it is considered a medium severity vulnerability that primarily affects system availability.
Remediation
To address this vulnerability, organizations should apply the security patches provided in the Oracle Critical Patch Update (CPU) from July 2021. Oracle recommends the following actions:
- Update affected Oracle Database Server installations to the patched versions available in the July 2021 CPU.
- If immediate patching is not possible, consider implementing the following temporary mitigations:
- Review and restrict the Create Procedure privilege to only trusted users
- Implement network access controls to limit Oracle Net connections to trusted sources
- Monitor for unusual activities related to Java VM usage in the database
- Regularly apply Oracle security patches as part of an ongoing security maintenance program.
References
- Oracle Critical Patch Update Advisory - July 2021: https://www.oracle.com/security-alerts/cpujul2021.html
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Base Score: 4.3)
- Affected Oracle Database Server versions: 12.1.0.2, 12.2.0.1, and 19c
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing
- Health Care & Social AssistanceHealth Care & Social Assistance
- Public AdministrationPublic Administration
- Educational ServicesEducational Services
- Transportation & WarehousingTransportation & Warehousing
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- Finance and InsuranceFinance and Insurance
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- Retail TradeRetail Trade
- UtilitiesUtilities
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Wholesale TradeWholesale Trade
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- ConstructionConstruction
- InformationInformation
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Real Estate Rental & LeasingReal Estate Rental & Leasing
