CVE-2024-20903 Overview
CVE-2024-20903 is a vulnerability in the Java VM component of Oracle Database Server. The flaw affects supported versions 19.3-19.21 and 21.3-21.12. A low-privileged attacker holding Create Session and Create Procedure privileges can exploit the issue through Oracle Net network access. Successful exploitation enables unauthorized creation, deletion, or modification of critical data accessible by the Java VM. The vulnerability impacts integrity only, with no direct confidentiality or availability consequences. Oracle disclosed the issue in the January 2024 Critical Patch Update.
Critical Impact
Authenticated remote attackers with minimal privileges can tamper with critical data managed by the Oracle Database Java VM, undermining database integrity guarantees.
Affected Products
- Oracle Database Server versions 19.3 through 19.21
- Oracle Database Server versions 21.3 through 21.12
- Deployments exposing Oracle Net to networks where low-privileged database accounts exist
Discovery Timeline
- 2024-02-17 - CVE-2024-20903 published to the National Vulnerability Database (NVD)
- 2024-11-27 - Last updated in NVD database
Technical Details for CVE-2024-20903
Vulnerability Analysis
The vulnerability resides in the Java VM component embedded in Oracle Database Server. Oracle's Java VM executes PL/SQL-callable Java stored procedures inside the database engine. An authenticated user with Create Session and Create Procedure privileges can interact with this component over Oracle Net.
Exploitation does not require elevated roles such as DBA or JAVA_ADMIN. The attacker abuses standard procedure-creation pathways to reach Java VM code paths that fail to enforce expected integrity controls. Successful exploitation grants the attacker the ability to create, delete, or modify data the Java VM can reach within the database.
The attack does not impact confidentiality or availability. Integrity is the sole affected security property, which still poses risk to financial records, audit logs, and reference data stored in tables accessible by the Java VM context.
EPSS data lists exploit probability at 0.19%, and no public proof-of-concept or in-the-wild exploitation is currently tracked.
Root Cause
Oracle has not published a detailed technical write-up. The CWE is recorded as NVD-CWE-noinfo. Based on the advisory, the root cause involves insufficient privilege enforcement within Java VM code paths reachable by users holding routine procedure-creation privileges. The vulnerability allows operations that should be reserved for higher-privileged accounts.
Attack Vector
The attack vector is network-based over Oracle Net. The attacker must authenticate to the database with an account that has Create Session and Create Procedure privileges. From this position, the attacker invokes Java VM functionality to perform unauthorized writes against Java VM-accessible data. No user interaction is required, and the attack complexity is low.
Because the required privileges are commonly granted to application accounts and developers, the realistic attack surface is broad in environments that allow direct procedure creation by non-administrative users.
Detection Methods for CVE-2024-20903
Indicators of Compromise
- Unexpected CREATE PROCEDURE or CREATE JAVA statements issued by low-privileged accounts
- Modifications to critical tables performed via Java stored procedures rather than the application's normal data path
- Audit records showing Java VM execution chains originating from non-administrative sessions
Detection Strategies
- Enable Oracle Unified Auditing on CREATE PROCEDURE, CREATE JAVA, and EXECUTE actions against Java VM objects
- Compare installed database patch levels against the January 2024 Critical Patch Update inventory to flag exposed instances
- Correlate session activity from accounts with Create Procedure privilege against subsequent DML on sensitive tables
Monitoring Recommendations
- Forward Oracle audit trails to a centralized analytics platform for behavioral baselining of procedure creation activity
- Alert on anomalous DDL volume from application or developer accounts during off-hours
- Track changes to DBA_JAVA_POLICY and Java permission grants for unauthorized modifications
How to Mitigate CVE-2024-20903
Immediate Actions Required
- Apply the January 2024 Oracle Critical Patch Update to all affected Oracle Database Server 19c and 21c instances
- Inventory database accounts holding Create Session and Create Procedure privileges and revoke where not required
- Restrict Oracle Net connectivity to trusted application tiers using firewalls and Oracle Connection Manager
Patch Information
Oracle addressed CVE-2024-20903 in the January 2024 Critical Patch Update. Patches are available for Oracle Database Server 19c versions through 19.21 and 21c versions through 21.12. Refer to the Oracle Security Alert January 2024 advisory for download instructions and version-specific guidance.
Workarounds
- Revoke Create Procedure from accounts that do not need it as part of their application function
- Restrict Java VM permissions using DBMS_JAVA.GRANT_PERMISSION and tighten policy entries in DBA_JAVA_POLICY
- Enforce network access controls so only application servers can reach the Oracle Net listener
# Configuration example: revoke unnecessary privileges and audit Java VM usage
REVOKE CREATE PROCEDURE FROM app_readonly_user;
AUDIT CREATE PROCEDURE BY app_user BY ACCESS;
AUDIT CREATE ANY JAVA, CREATE JAVA BY ACCESS;
-- Confirm patch level after applying January 2024 CPU
SELECT PATCH_ID, ACTION, STATUS, ACTION_TIME
FROM DBA_REGISTRY_SQLPATCH
ORDER BY ACTION_TIME DESC;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
