CVE-2021-2335 Overview
CVE-2021-2335 is a vulnerability in the Oracle Database - Enterprise Edition Data Redaction component of Oracle Database Server. This flaw allows a low-privileged attacker with Create Session privilege and network access via Oracle Net to compromise the Data Redaction component. Successful exploitation requires human interaction from a person other than the attacker and can result in unauthorized update, insert, or delete access to some of the Oracle Database - Enterprise Edition Data Redaction accessible data.
Critical Impact
An attacker with minimal privileges can bypass data protection controls to modify sensitive redacted data, potentially exposing protected information or corrupting data integrity in affected Oracle Database deployments.
Affected Products
- Oracle Database Enterprise Edition 12.1.0.2
- Oracle Database Enterprise Edition 12.2.0.1
- Oracle Database Enterprise Edition 19c
Discovery Timeline
- 2021-07-21 - CVE-2021-2335 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-2335
Vulnerability Analysis
This vulnerability affects the Data Redaction component within Oracle Database Enterprise Edition. Data Redaction is a security feature designed to mask sensitive data in real-time before it is returned to applications, protecting information such as credit card numbers, social security numbers, and other personally identifiable information.
The vulnerability is easily exploitable through the network via Oracle Net protocol. However, exploitation is limited in scope due to two key factors: the attacker must possess at least Create Session privileges on the database, and successful exploitation requires some form of human interaction from another party. The impact is confined to integrity violations—specifically unauthorized modification capabilities—rather than confidentiality or availability compromises.
Root Cause
The root cause relates to improper access control within the Data Redaction component. The vulnerability allows authenticated users with minimal database privileges to bypass intended restrictions on data modification operations. This indicates insufficient validation of user privileges when processing certain redaction-related operations, enabling low-privileged users to perform unauthorized data modifications that should be restricted to higher-privileged roles.
Attack Vector
The attack is conducted over the network using the Oracle Net protocol, which is the standard communication layer for Oracle Database connections. An attacker requires:
- Valid database credentials with at least Create Session privilege
- Network access to the Oracle Database listener
- The ability to induce human interaction from another user or administrator
The attack flow involves the attacker establishing a legitimate session and then exploiting the Data Redaction component weakness to perform unauthorized data manipulation operations. The requirement for human interaction suggests this may involve scenarios where an administrator or another user inadvertently triggers the vulnerable code path.
Detection Methods for CVE-2021-2335
Indicators of Compromise
- Unusual audit log entries showing data modification operations by low-privileged users on redacted columns or tables
- Unexpected changes to Data Redaction policy configurations or protected data values
- Database session logs indicating suspicious activity patterns involving the Data Redaction component
Detection Strategies
- Enable Oracle Database Auditing to track all DML operations on tables protected by Data Redaction policies
- Monitor database audit trails for privilege escalation attempts or unauthorized access to sensitive data columns
- Implement SentinelOne Singularity Platform to detect anomalous database activity patterns and network connections to Oracle listeners
Monitoring Recommendations
- Review Oracle Net connection logs for unusual client connections or repeated authentication attempts
- Configure alerting for any modifications to Data Redaction policies or protected table structures
- Deploy network monitoring to track Oracle Net traffic patterns and identify potential exploitation attempts
How to Mitigate CVE-2021-2335
Immediate Actions Required
- Apply the Oracle Critical Patch Update (CPU) from July 2021 immediately to all affected Oracle Database instances
- Review and restrict Create Session privileges to only users who absolutely require database access
- Audit current Data Redaction configurations and verify integrity of protected data
Patch Information
Oracle has addressed this vulnerability in the Oracle Critical Patch Update July 2021. Organizations running Oracle Database Enterprise Edition versions 12.1.0.2, 12.2.0.1, or 19c should apply the appropriate patches from this CPU release. The patch addresses the improper access control issue within the Data Redaction component.
Workarounds
- Restrict network access to Oracle Database listeners using firewall rules to limit exposure to trusted networks only
- Implement additional database-level access controls to limit which users can interact with Data Redaction protected data
- Enable comprehensive auditing on all tables protected by Data Redaction policies to detect unauthorized modification attempts
- Consider implementing Oracle Database Vault for additional privilege controls until patching can be completed
# Configuration example - Restrict Oracle listener access (sqlnet.ora)
# Add to $ORACLE_HOME/network/admin/sqlnet.ora
# Enable valid node checking
TCP.VALIDNODE_CHECKING = YES
# Allow only trusted IP addresses/networks
TCP.INVITED_NODES = (192.168.1.0/24, 10.0.0.0/8)
# Deny all other connections
TCP.EXCLUDED_NODES = (*)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
