CVE-2021-2335 Overview
CVE-2021-2335 is a vulnerability in the Data Redaction component of Oracle Database Server, Enterprise Edition. The flaw affects supported versions 12.1.0.2, 12.2.0.1, and 19c. A low-privileged attacker with the CREATE SESSION privilege can exploit the issue over Oracle Net to compromise integrity of redacted data. Successful exploitation requires human interaction from a user other than the attacker. The impact is limited to unauthorized update, insert, or delete access to a subset of Data Redaction-accessible data. Oracle addressed the issue in the July 2021 Critical Patch Update.
Critical Impact
Authenticated attackers can perform unauthorized modifications to data accessible through Oracle Database Enterprise Edition Data Redaction when a separate user interacts with crafted content.
Affected Products
- Oracle Database Server, Enterprise Edition 12.1.0.2
- Oracle Database Server, Enterprise Edition 12.2.0.1
- Oracle Database Server, Enterprise Edition 19c
Discovery Timeline
- 2021-07-21 - CVE-2021-2335 published to NVD
- 2021-07 - Oracle releases security patch in the Oracle Critical Patch Update July 2021
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-2335
Vulnerability Analysis
The vulnerability resides in the Data Redaction feature of Oracle Database Enterprise Edition. Data Redaction masks sensitive column data returned by queries based on policies defined by database administrators. The flaw allows a low-privileged authenticated session to influence redaction behavior in a way that results in unauthorized write operations on a limited set of data the feature exposes. The integrity impact is partial, and there is no confidentiality or availability impact. Exploitation requires the attacker to convince another user to take an action, which constrains practical abuse to social-engineering or workflow-chaining scenarios. The Exploit Prediction Scoring System (EPSS) probability is 0.212% at the 43.6th percentile, indicating low observed exploitation likelihood.
Root Cause
Oracle's advisory categorizes the issue under [CWE-noinfo], and no detailed root cause has been publicly disclosed. Oracle's general practice is to withhold technical specifics for database server vulnerabilities to limit reverse engineering of unpatched instances. Based on the CVSS metrics, the weakness lies in the Data Redaction module's handling of input or session context from authenticated users with minimal privileges.
Attack Vector
The attacker must hold a valid database account with CREATE SESSION privilege and reach the database over Oracle Net. After authenticating, the attacker triggers an operation that requires interaction from a second user. When that user interacts with the crafted object or query path, the redaction logic permits unauthorized update, insert, or delete operations within its scope. No verified proof-of-concept code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is publicly available for CVE-2021-2335. Refer to the Oracle Critical Patch Update July 2021 for vendor-provided technical context.
Detection Methods for CVE-2021-2335
Indicators of Compromise
- Unexpected UPDATE, INSERT, or DELETE statements issued by low-privileged accounts against tables protected by Data Redaction policies.
- Anomalous Oracle Net session activity originating from accounts that normally only perform read operations.
- Audit trail entries showing data modifications inconsistent with the user's documented role.
Detection Strategies
- Enable Oracle Unified Auditing for objects covered by DBMS_REDACT policies and review DML activity by users holding only CREATE SESSION.
- Correlate database audit logs with application-layer logs to identify second-user interactions that immediately follow low-privileged session activity.
- Baseline normal DML patterns per role and alert on deviations, particularly write operations against redacted columns.
Monitoring Recommendations
- Forward Oracle audit records to a centralized SIEM for cross-source correlation and retention.
- Track changes to DBMS_REDACT policies and any function-based redaction expressions for unauthorized modification.
- Monitor for new or unusual grants of CREATE SESSION to accounts that did not previously hold the privilege.
How to Mitigate CVE-2021-2335
Immediate Actions Required
- Apply the July 2021 Oracle Critical Patch Update to all affected 12.1.0.2, 12.2.0.1, and 19c Enterprise Edition installations.
- Inventory database accounts with CREATE SESSION privilege and revoke access where it is not strictly required.
- Review Data Redaction policies to confirm they reflect current data classification requirements.
Patch Information
Oracle released a fix in the Oracle Critical Patch Update July 2021. Administrators should follow Oracle's recommended patch application procedures, including pre-patch testing in a non-production environment and post-patch validation of Data Redaction functionality.
Workarounds
- Restrict network access to Oracle Net listeners using Valid Node Checking or firewall ACLs to limit which clients can establish sessions.
- Reduce the population of accounts holding CREATE SESSION and enforce strong authentication on remaining accounts.
- Disable or constrain Data Redaction policies on sensitive tables until the patch is applied if business processes allow.
# Example: review accounts holding CREATE SESSION privilege
sqlplus / as sysdba <<'EOF'
SELECT grantee FROM dba_sys_privs WHERE privilege = 'CREATE SESSION';
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
