CVE-2021-2334 Overview
CVE-2021-2334 is a vulnerability in the Data Redaction component of Oracle Database Server, Enterprise Edition. The flaw affects supported versions 12.1.0.2, 12.2.0.1, and 19c. A low-privileged attacker with CREATE SESSION privilege and network access via Oracle Net can exploit this issue. Successful exploitation requires human interaction from a user other than the attacker. The impact is limited to unauthorized update, insert, or delete access to a subset of data accessible through Data Redaction. Oracle published the fix in the July 2021 Critical Patch Update.
Critical Impact
Authenticated attackers can perform unauthorized modifications to Data Redaction-accessible data when a separate user is tricked into interaction.
Affected Products
- Oracle Database Server Enterprise Edition 12.1.0.2
- Oracle Database Server Enterprise Edition 12.2.0.1
- Oracle Database Server Enterprise Edition 19c
Discovery Timeline
- 2021-07-21 - CVE-2021-2334 published to NVD
- 2021-07-21 - Oracle releases the July 2021 Critical Patch Update addressing this vulnerability
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-2334
Vulnerability Analysis
The vulnerability resides in the Data Redaction component of Oracle Database Enterprise Edition. Data Redaction masks sensitive column values returned by queries based on policies defined by administrators. The flaw allows a low-privileged database account holding CREATE SESSION to perform unauthorized integrity-affecting operations against data exposed through Data Redaction. Exploitation occurs over Oracle Net, the network protocol used by Oracle clients. The attack does not expose confidentiality and does not impact availability. Because exploitation requires interaction from a different user, an attacker must rely on social engineering or a triggered workflow. NVD classifies the weakness as [NVD-CWE-noinfo] due to limited public technical disclosure from Oracle.
Root Cause
Oracle has not publicly released root-cause detail for CVE-2021-2334. The advisory describes the component, prerequisites, and impact without disclosing the underlying defect. Refer to the Oracle July 2021 Critical Patch Update for vendor-supplied information.
Attack Vector
The attacker requires an authenticated database session reachable over Oracle Net. After authenticating with CREATE SESSION, the attacker stages an action that depends on a separate user performing an operation, such as executing a query or invoking a procedure that touches a Data Redaction policy. The combined interaction allows the attacker to write, modify, or delete a limited subset of data accessible to Data Redaction. No specialized tooling beyond a standard Oracle client is required.
No verified public proof-of-concept exists for CVE-2021-2334. Vendor advisories do not include exploit code, and the EPSS probability is 0.212% (percentile 43.6), indicating low observed exploitation activity.
Detection Methods for CVE-2021-2334
Indicators of Compromise
- Unexpected UPDATE, INSERT, or DELETE operations against tables protected by Data Redaction policies, originating from accounts holding only CREATE SESSION.
- Anomalous Oracle Net session activity from low-privileged accounts targeting redacted columns.
- Audit records showing privilege use that diverges from the account's documented role.
Detection Strategies
- Enable Oracle Unified Auditing for DML statements affecting tables with Data Redaction policies applied.
- Compare current Data Redaction policy definitions against a known-good baseline to identify tampering.
- Correlate CREATE SESSION logons with subsequent write activity on sensitive schemas to surface deviations from expected behavior.
Monitoring Recommendations
- Forward Oracle audit logs into a centralized analytics platform for long-term retention and correlation.
- Alert on writes to columns protected by DBMS_REDACT policies performed by accounts without explicit DML grants.
- Track patch level of Oracle Database instances and flag hosts still running 12.1.0.2, 12.2.0.1, or 19c without the July 2021 CPU applied.
How to Mitigate CVE-2021-2334
Immediate Actions Required
- Apply the Oracle July 2021 Critical Patch Update to all affected Oracle Database 12.1.0.2, 12.2.0.1, and 19c instances.
- Inventory accounts holding CREATE SESSION and remove the privilege from any account that does not require interactive database access.
- Review Data Redaction policies and validate the data sensitivity of columns currently masked.
Patch Information
Oracle addressed CVE-2021-2334 in the July 2021 Critical Patch Update. Patch guidance and download links are available in the Oracle Security Alert - July 2021. Apply the corresponding bundle patch or Release Update for each affected database version.
Workarounds
- Restrict network access to the Oracle Net listener using Valid Node Checking or firewall rules to limit which clients can authenticate.
- Reduce the population of accounts granted CREATE SESSION to lower the pool of potential attackers.
- Enforce least-privilege access on schemas that contain redacted data, ensuring write access is granted only to vetted application accounts.
# Example: revoke CREATE SESSION from a non-essential account
sqlplus / as sysdba
REVOKE CREATE SESSION FROM legacy_report_user;
# Example: enable unified auditing for DML on a redacted table
CREATE AUDIT POLICY redact_dml_audit
ACTIONS INSERT, UPDATE, DELETE ON hr.employees;
AUDIT POLICY redact_dml_audit;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
