CVE-2024-21174 Overview
CVE-2024-21174 is a vulnerability in the Java VM component of Oracle Database Server. This security flaw affects multiple supported versions of Oracle Database Server including versions 19.3-19.23, 21.3-21.14, and 23.4. The vulnerability is classified as a Resource Exhaustion (CWE-770) issue that can lead to denial of service conditions.
Critical Impact
Successful exploitation allows a low privileged attacker with Create Session and Create Procedure privileges to cause a partial denial of service (partial DOS) of the Java VM component in Oracle Database Server.
Affected Products
- Oracle Database Server versions 19.3-19.23
- Oracle Database Server versions 21.3-21.14
- Oracle Database Server version 23.4
Discovery Timeline
- 2024-07-16 - CVE-2024-21174 published to NVD
- 2025-06-18 - Last updated in NVD database
Technical Details for CVE-2024-21174
Vulnerability Analysis
This vulnerability resides in the Java VM component of Oracle Database Server, which provides Java support within the database environment. The flaw is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that the Java VM component fails to properly manage resource allocation, potentially allowing attackers to exhaust system resources.
The attack requires an authenticated user with specific privileges (Create Session and Create Procedure) to interact with the Java VM component over Oracle Net protocol. While the complexity of exploitation is high, successful attacks result in availability impacts to the Java VM component, causing partial service disruption.
Root Cause
The root cause of CVE-2024-21174 is improper resource allocation handling within the Java VM component. The vulnerability falls under CWE-770, which describes scenarios where software allocates a reusable resource or group of resources without imposing limits on how much can be allocated, allowing resource exhaustion attacks. In this case, the Java VM component does not adequately limit or throttle resource consumption, enabling an attacker to trigger conditions that degrade service availability.
Attack Vector
The attack vector for this vulnerability involves network access via Oracle Net protocol. An attacker must possess low-level privileges specifically requiring Create Session and Create Procedure permissions within the Oracle Database environment. The attack complexity is high, meaning specific conditions must be met for successful exploitation.
The attacker leverages their authenticated session to interact with the Java VM component in a manner that causes resource exhaustion. While the vulnerability does not impact confidentiality or integrity, it can disrupt the availability of the Java VM subsystem within the database.
Since no verified code examples are available for this vulnerability, the specific exploitation technique involves crafting requests or procedures that consume Java VM resources without proper cleanup or throttling, eventually leading to service degradation.
Detection Methods for CVE-2024-21174
Indicators of Compromise
- Unusual resource consumption patterns in the Oracle Database Server Java VM component
- Database sessions with Create Session and Create Procedure privileges exhibiting abnormal activity
- Intermittent availability issues specifically affecting Java-based stored procedures or functions
- Elevated memory or CPU usage associated with Java VM processes within the database
Detection Strategies
- Monitor Oracle Database audit logs for suspicious activity from users with Create Procedure privileges
- Implement resource monitoring for the Java VM component to detect consumption anomalies
- Configure alerts for partial denial of service conditions affecting Java-based database operations
- Review authentication logs for unusual session patterns targeting Java VM functionality
Monitoring Recommendations
- Enable Oracle Database auditing for Java VM related operations and stored procedure creation
- Deploy network monitoring on Oracle Net traffic to identify potential exploitation attempts
- Establish baseline resource utilization metrics for the Java VM component to detect deviations
- Implement SentinelOne Singularity Platform for real-time endpoint detection and response on database servers
How to Mitigate CVE-2024-21174
Immediate Actions Required
- Apply the security patches from the Oracle Critical Patch Update (CPU) July 2024
- Review and restrict Create Procedure privileges to only essential users and service accounts
- Implement network segmentation to limit Oracle Net access to trusted systems
- Monitor affected Oracle Database Server instances for signs of exploitation
Patch Information
Oracle has addressed this vulnerability in the July 2024 Critical Patch Update. Administrators should apply the relevant security patches for their affected Oracle Database Server versions (19.3-19.23, 21.3-21.14, or 23.4). Detailed patch information and download instructions are available in the Oracle Security Alert July 2024.
Workarounds
- Restrict the Create Procedure privilege to only trusted database users who require it for legitimate purposes
- Implement Oracle Database Vault to further control privileged access to the Java VM component
- Configure resource limits on the Java VM component where possible to mitigate potential exhaustion
- Consider disabling the Java VM component if it is not required for business operations
# Review users with Create Procedure privilege
# Run as DBA to identify potentially affected accounts
SELECT grantee, privilege FROM dba_sys_privs
WHERE privilege IN ('CREATE SESSION', 'CREATE PROCEDURE');
# Consider revoking unnecessary privileges
# REVOKE CREATE PROCEDURE FROM <username>;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
