CVE-2022-21393 Overview
CVE-2022-21393 is a Denial of Service vulnerability in the Java VM component of Oracle Database Server. This easily exploitable vulnerability allows a low privileged attacker with Create Procedure privilege and network access via Oracle Net to compromise the Java VM component, resulting in a partial denial of service (partial DOS) condition.
Critical Impact
Attackers with minimal privileges can disrupt Java VM availability in Oracle Database Server environments, potentially affecting applications and services that depend on the database's Java functionality.
Affected Products
- Oracle Database Server 12.1.0.2
- Oracle Database Server 12.2.0.1
- Oracle Database Server 19c
- Oracle Database Server 21c
Discovery Timeline
- 2022-01-19 - CVE-2022-21393 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21393
Vulnerability Analysis
This vulnerability resides within the Java VM component of Oracle Database Server, which provides Java execution capabilities within the database environment. The flaw allows attackers to trigger a partial denial of service condition affecting the availability of the Java VM subsystem.
The vulnerability is classified as easily exploitable, requiring only low-level privileges (specifically the Create Procedure privilege) and network access via Oracle Net protocol. The attack does not require user interaction, making it straightforward for authenticated attackers to exploit. The impact is limited to availability, with no confidentiality or integrity implications, resulting in a partial degradation of service rather than complete system unavailability.
Root Cause
The vulnerability stems from improper handling within the Java VM component when processing certain operations initiated by users with Create Procedure privileges. While specific technical details have not been publicly disclosed by Oracle (classified as NVD-CWE-noinfo), the vulnerability allows authenticated users to consume resources or trigger conditions that degrade Java VM performance and availability within the database environment.
Attack Vector
The attack vector for CVE-2022-21393 involves network-based exploitation through Oracle Net, Oracle's networking layer that enables client-server communication. An attacker would need:
- Network access to the Oracle Database Server via Oracle Net protocol
- Valid database credentials with at least Create Procedure privilege
- The ability to execute operations that trigger the vulnerability condition
The attack does not require any user interaction and can be executed remotely. The scope is unchanged, meaning the vulnerability is confined to the Java VM component and does not allow pivoting to other system components. Successful exploitation results in partial service disruption affecting Java-based database operations.
Detection Methods for CVE-2022-21393
Indicators of Compromise
- Unusual spikes in database resource utilization attributed to Java VM operations
- Repeated failed or slow Java stored procedure executions from specific user accounts
- Abnormal network traffic patterns to the Oracle Net listener from unexpected sources
- Database alert logs showing Java VM-related errors or performance degradation
Detection Strategies
- Monitor database audit logs for excessive Create Procedure operations from low-privileged accounts
- Implement alerting on Java VM performance metrics that deviate from established baselines
- Track Oracle Net connection attempts and correlate with Java VM activity patterns
- Review user privilege assignments, particularly focusing on accounts with Create Procedure privilege
Monitoring Recommendations
- Enable detailed auditing for accounts with Create Procedure privileges
- Configure Oracle Database performance monitoring to track Java VM resource consumption
- Set up alerts for unusual patterns in Oracle Net protocol communications
- Monitor database availability metrics with focus on Java VM subsystem health
How to Mitigate CVE-2022-21393
Immediate Actions Required
- Apply the Oracle Critical Patch Update (CPU) from January 2022 immediately
- Review and restrict Create Procedure privileges to only essential accounts
- Implement network segmentation to limit Oracle Net access to authorized systems
- Monitor Java VM operations for signs of exploitation attempts
Patch Information
Oracle has addressed this vulnerability in the January 2022 Critical Patch Update (CPU). Organizations running affected versions of Oracle Database Server (12.1.0.2, 12.2.0.1, 19c, and 21c) should apply the relevant patches as documented in the Oracle January 2022 Security Alert. The patch remediation addresses the underlying issue in the Java VM component that enables the partial denial of service condition.
Workarounds
- Restrict Create Procedure privilege to only necessary database users through privilege auditing and reduction
- Implement Oracle Database Vault to add additional access controls around Java VM operations
- Use network access control lists (ACLs) to limit Oracle Net connections to known, trusted hosts
- Consider disabling the Java VM component if not required for business operations using DBMS_JAVA.set_output restrictions
# Configuration example - Review and revoke unnecessary Create Procedure privileges
# Connect to Oracle Database as SYSDBA
sqlplus / as sysdba
# Query users with CREATE PROCEDURE privilege
SELECT grantee, privilege FROM dba_sys_privs
WHERE privilege = 'CREATE PROCEDURE';
# Revoke from unnecessary accounts (example)
# REVOKE CREATE PROCEDURE FROM username;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
