CVE-2022-21247 Overview
CVE-2022-21247 is a vulnerability in the Core RDBMS component of Oracle Database Server that enables unauthorized read access to sensitive data. This flaw affects Oracle Database Server versions 12.2.0.1 and 19c, allowing high-privileged attackers with Create Session and Execute Catalog Role privileges to access a subset of Core RDBMS accessible data through network-based attacks via Oracle Net protocol.
Critical Impact
Authenticated attackers with elevated database privileges can exploit this vulnerability to gain unauthorized read access to sensitive data stored in Oracle Database Server's Core RDBMS component.
Affected Products
- Oracle Database Server version 12.2.0.1
- Oracle Database Server version 19c
- Core RDBMS component across affected versions
Discovery Timeline
- 2022-01-19 - CVE-2022-21247 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21247
Vulnerability Analysis
This vulnerability resides in the Core RDBMS component of Oracle Database Server. The security flaw allows an attacker who has already obtained high-level database privileges (specifically Create Session and Execute Catalog Role) to bypass intended access restrictions and read data they should not have access to.
The attack requires network access via Oracle Net, Oracle's proprietary networking protocol used for database communications. While the prerequisite privileges limit the attack surface to users with significant existing access, the vulnerability still represents a breach of the principle of least privilege within the database environment.
The vulnerability is classified as easily exploitable, meaning that once an attacker has the required privileges, exploitation does not require complex techniques or sophisticated attack chains.
Root Cause
The vulnerability stems from improper access control within the Core RDBMS component. The flaw allows privileged database users to access data beyond their authorized scope through the Oracle Net protocol. This represents a failure in the internal authorization mechanisms that should enforce data access boundaries even for users with elevated privileges.
No specific CWE has been assigned to this vulnerability (NVD-CWE-noinfo), suggesting the exact technical root cause has not been publicly disclosed by Oracle.
Attack Vector
The attack vector for CVE-2022-21247 requires:
- Network Access: The attacker must have network connectivity to the Oracle Database Server via Oracle Net protocol
- High Privileges: The attacker must possess Create Session and Execute Catalog Role privileges
- Direct Exploitation: Once prerequisites are met, the vulnerability can be exploited directly to read unauthorized data
The exploitation mechanism involves leveraging the existing privileged session to access data outside the attacker's authorized scope within the Core RDBMS component. Due to the nature of Oracle's security disclosure practices, specific exploitation techniques have not been publicly detailed.
Detection Methods for CVE-2022-21247
Indicators of Compromise
- Unusual data access patterns from users with Execute Catalog Role privileges
- Unexpected queries against system catalog tables or restricted data segments
- Anomalous Oracle Net traffic patterns from privileged database sessions
- Audit log entries showing access to data outside a user's normal scope
Detection Strategies
- Enable Oracle Database Auditing to track all activities by users with Execute Catalog Role
- Monitor for unusual SELECT operations against sensitive tables from privileged accounts
- Implement database activity monitoring (DAM) solutions to detect anomalous access patterns
- Review Oracle listener logs for suspicious Oracle Net connection patterns
Monitoring Recommendations
- Configure Oracle Fine-Grained Auditing (FGA) on sensitive data objects
- Establish baseline activity profiles for users with Create Session and Execute Catalog Role privileges
- Implement real-time alerting for data access outside normal business patterns
- Correlate database audit logs with network monitoring for comprehensive visibility
How to Mitigate CVE-2022-21247
Immediate Actions Required
- Apply the January 2022 Critical Patch Update from Oracle immediately
- Review all users with Create Session and Execute Catalog Role privileges
- Implement principle of least privilege by removing unnecessary catalog role grants
- Enable enhanced auditing on the Core RDBMS component pending patch application
Patch Information
Oracle has addressed this vulnerability in the January 2022 Critical Patch Update (CPU). Administrators should apply the appropriate patches for their Oracle Database Server versions (12.2.0.1 or 19c).
For detailed patch information and download links, refer to the Oracle Security Alert - January 2022.
Workarounds
- Restrict Execute Catalog Role grants to only essential database administrators
- Implement network segmentation to limit Oracle Net access to trusted hosts only
- Enable comprehensive database auditing to detect potential exploitation attempts
- Consider revoking Create Session privileges from non-essential high-privileged accounts until patching is complete
# Review users with Execute Catalog Role
# Run as SYSDBA to audit privilege assignments
SELECT grantee, granted_role
FROM dba_role_privs
WHERE granted_role = 'EXECUTE_CATALOG_ROLE';
# Enable auditing for catalog role users
AUDIT SELECT ANY TABLE BY ACCESS;
AUDIT EXECUTE ANY PROCEDURE BY ACCESS;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
