CVE-2022-39419 Overview
CVE-2022-39419 affects the Java VM component of Oracle Database Server, specifically versions 19c and 21c. The flaw permits a low-privileged attacker with the CREATE PROCEDURE privilege to access a subset of Java VM accessible data over Oracle Net. Exploitation requires network access but no user interaction. Oracle addressed the issue in the October 2022 Critical Patch Update.
Critical Impact
Authenticated attackers with CREATE PROCEDURE privilege can obtain unauthorized read access to Java VM data inside the Oracle Database, exposing confidential information stored or processed by the Java VM.
Affected Products
- Oracle Database Server, Java VM component, version 19c
- Oracle Database Server, Java VM component, version 21c
- Deployments exposing Oracle Net to users granted the CREATE PROCEDURE privilege
Discovery Timeline
- 2022-10-18 - CVE-2022-39419 published to the National Vulnerability Database (NVD)
- 2022-10-18 - Oracle released a fix in the Oracle Critical Patch Update - October 2022
- 2024-11-21 - Last updated in the NVD database
Technical Details for CVE-2022-39419
Vulnerability Analysis
The vulnerability resides in the Java VM component embedded inside the Oracle Database Server. The Java VM executes Java stored procedures and PL/SQL-callable code inside the database kernel. A low-privileged database user holding the CREATE PROCEDURE privilege can interact with the Java VM through Oracle Net and read data that should remain isolated. The issue is classified as an information disclosure flaw with confidentiality-only impact. NVD lists the weakness as NVD-CWE-noinfo because Oracle did not publish detailed root cause information. The current EPSS score is 0.209% at the 43.128 percentile, indicating limited near-term exploitation likelihood.
Root Cause
Oracle did not disclose the precise defect. Based on the advisory, the Java VM fails to enforce sufficient access controls when a procedure created by a low-privileged user requests data through Oracle Net. The result is an authorization gap that exposes a subset of Java VM accessible data.
Attack Vector
The attacker authenticates to the database with an account that has the CREATE PROCEDURE privilege. The attacker then creates a Java stored procedure and invokes it over Oracle Net to read Java VM data that the role should not be permitted to access. No user interaction is required, and the attack complexity is low.
No public proof-of-concept code is available for this issue. Refer to the Oracle Critical Patch Update - October 2022 for vendor-supplied details.
Detection Methods for CVE-2022-39419
Indicators of Compromise
- Unexpected CREATE PROCEDURE or CREATE JAVA activity by accounts that do not normally author Java stored procedures
- Java stored procedures invoking classes that touch internal Java VM resources or system packages
- Sessions originating from Oracle Net clients that execute Java methods immediately after creating a procedure
Detection Strategies
- Audit DBA_OBJECTS and DBA_JAVA_CLASSES for new Java-based objects created by low-privileged schemas
- Enable Oracle Unified Auditing for CREATE PROCEDURE, CREATE JAVA, and execution of Java stored procedures
- Correlate Oracle Net session metadata with procedure creation events to identify reconnaissance against the Java VM
Monitoring Recommendations
- Forward Oracle audit trails to a centralized analytics platform for behavioral baselining of privileged DDL activity
- Alert on grants or role changes that add CREATE PROCEDURE to non-developer accounts
- Review database listener logs for unusual client IPs invoking Java stored procedures over Oracle Net
How to Mitigate CVE-2022-39419
Immediate Actions Required
- Apply the October 2022 Critical Patch Update to Oracle Database 19c and 21c instances
- Inventory accounts holding CREATE PROCEDURE and revoke the privilege where it is not required
- Restrict Oracle Net exposure to trusted application hosts using valid node checking or network ACLs
Patch Information
Oracle delivered the fix as part of the Oracle Critical Patch Update - October 2022. Administrators should install the corresponding Database Release Update or Patch Set Update for 19c and 21c and validate that the Java VM component is upgraded. Confirm the patch level with SELECT * FROM DBA_REGISTRY_HISTORY; after application.
Workarounds
- Revoke the CREATE PROCEDURE system privilege from accounts that do not need Java or PL/SQL development capabilities
- Disable or remove the Java VM component on databases that do not require server-side Java execution
- Limit Oracle Net access through sqlnet.oraTCP.VALIDNODE_CHECKING and firewall rules to reduce the attacker population
# Example: revoke procedure creation privilege from a low-trust user
sqlplus / as sysdba
REVOKE CREATE PROCEDURE FROM app_user;
REVOKE CREATE ANY PROCEDURE FROM app_user;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
