CVE-2021-35619 Overview
CVE-2021-35619 is a vulnerability in the Java VM component of Oracle Database Server that allows a low-privileged attacker with Create Procedure privilege to compromise the Java VM through network access via Oracle Net. This vulnerability requires human interaction from a person other than the attacker and is difficult to exploit. Successful exploitation can result in a complete takeover of the Java VM component, impacting confidentiality, integrity, and availability of the affected systems.
Critical Impact
Successful exploitation enables complete takeover of the Java VM component within Oracle Database Server, potentially allowing attackers to execute arbitrary code, access sensitive data, and disrupt database operations.
Affected Products
- Oracle Java Virtual Machine 12.1.0.2
- Oracle Java Virtual Machine 12.2.0.1
- Oracle Java Virtual Machine 19c
- Oracle Java Virtual Machine 21c
Discovery Timeline
- October 20, 2021 - CVE-2021-35619 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35619
Vulnerability Analysis
This vulnerability resides in the Java VM component embedded within Oracle Database Server. The flaw enables attackers with limited database privileges—specifically the Create Procedure privilege—to target the Java VM through network-accessible Oracle Net protocol connections. The attack complexity is high, requiring specific conditions to be met, including obtaining user interaction from a legitimate user other than the attacker.
The impact upon successful exploitation is severe, affecting all three security pillars: confidentiality, integrity, and availability. An attacker who successfully exploits this vulnerability gains complete control over the Java VM component, which could be leveraged to access sensitive database information, modify data, or cause denial of service conditions within the database environment.
Root Cause
The exact technical root cause has not been publicly disclosed by Oracle. The vulnerability is categorized under NVD-CWE-noinfo, indicating that specific weakness enumeration details are not available. The flaw exists within the Java VM's handling of certain operations that can be triggered by authenticated users with procedure creation capabilities.
Attack Vector
The attack vector is network-based, requiring the attacker to have:
- Network access to the Oracle Database Server via Oracle Net protocol
- Low-privileged database account with Create Procedure privilege
- The ability to convince another user to interact with malicious content or procedures
The exploitation difficulty is high due to the requirement of user interaction and the specific privilege prerequisites. The attacker must craft a malicious procedure or exploit mechanism that, when executed or interacted with by another user, triggers the vulnerability in the Java VM component.
Due to the nature of this vulnerability and the lack of publicly available proof-of-concept code, the exploitation mechanism is best described in terms of the attack conditions rather than specific code patterns. The vulnerability requires authenticated access combined with social engineering to achieve user interaction. Organizations should consult the Oracle October 2021 Security Alert for additional technical guidance.
Detection Methods for CVE-2021-35619
Indicators of Compromise
- Unusual stored procedure creation activity from accounts with Create Procedure privilege
- Unexpected Java VM operations or exceptions in Oracle Database logs
- Anomalous network traffic patterns over Oracle Net connections
- Unauthorized access attempts to database objects following procedure execution
Detection Strategies
- Monitor Oracle Database audit logs for suspicious procedure creation by users with elevated privileges
- Implement database activity monitoring (DAM) solutions to track Java VM component interactions
- Review Oracle listener logs for unusual Oracle Net connection patterns
- Deploy network intrusion detection rules to identify anomalous database protocol traffic
Monitoring Recommendations
- Enable comprehensive auditing for CREATE PROCEDURE operations in Oracle Database
- Configure alerts for Java VM errors or unexpected behavior in database alert logs
- Establish baseline metrics for normal database procedure activity to identify deviations
- Implement real-time monitoring of privileged database account activities
How to Mitigate CVE-2021-35619
Immediate Actions Required
- Apply the Oracle Critical Patch Update (CPU) from October 2021 immediately
- Review and restrict accounts with Create Procedure privilege to essential users only
- Audit existing stored procedures for suspicious or unauthorized code
- Implement network segmentation to limit Oracle Net protocol exposure
Patch Information
Oracle has addressed this vulnerability in the October 2021 Critical Patch Update (CPU). Organizations should apply the latest patches from Oracle as documented in the Oracle October 2021 Security Alert. The patch should be applied to all affected versions: 12.1.0.2, 12.2.0.1, 19c, and 21c.
Workarounds
- Revoke Create Procedure privilege from non-essential database accounts until patching is complete
- Disable or restrict Java VM functionality within Oracle Database if not required for business operations
- Implement strict network access controls to limit Oracle Net exposure to trusted networks only
- Enable Oracle Database Vault to provide additional access control layers around sensitive operations
# Configuration example - Revoke Create Procedure privilege
sqlplus / as sysdba
REVOKE CREATE PROCEDURE FROM <username>;
# Verify Java VM status in database
SELECT comp_name, status FROM dba_registry WHERE comp_name LIKE '%JAVA%';
# Disable Java if not required (requires database restart)
# Note: Test in non-production environment first
exec dbms_java.set_output(0);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
