CVE-2024-21174 Overview
CVE-2024-21174 is a denial of service vulnerability in the Java VM component of Oracle Database Server. The flaw affects supported versions 19.3-19.23, 21.3-21.14, and 23.4. An authenticated attacker with Create Session and Create Procedure privileges can exploit the issue over Oracle Net to cause a partial denial of service in the Java VM.
The vulnerability is categorized as resource allocation without limits or throttling [CWE-770]. Exploitation does not impact confidentiality or integrity, only availability. Oracle addressed the issue in the July 2024 Critical Patch Update.
Critical Impact
Successful exploitation produces a partial denial of service of the Oracle Database Java VM, degrading availability for database workloads relying on Java stored procedures.
Affected Products
- Oracle Database Server versions 19.3 through 19.23
- Oracle Database Server versions 21.3 through 21.14
- Oracle Database Server version 23.4
Discovery Timeline
- 2024-07-16 - Oracle published the vulnerability as part of the July 2024 Critical Patch Update
- 2024-07-16 - CVE-2024-21174 published to NVD
- 2025-06-18 - Last updated in NVD database
Technical Details for CVE-2024-21174
Vulnerability Analysis
The vulnerability resides in the Java VM component embedded within Oracle Database Server. Oracle's Java VM allows developers to execute Java stored procedures inside the database engine. The flaw permits a low-privileged authenticated user to trigger a partial denial of service against the Java VM subsystem.
The CWE-770 classification indicates the underlying issue is allocation of resources without enforced limits or throttling. An attacker can submit crafted operations through Oracle Net that the Java VM processes without sufficient resource controls. This causes degradation of the Java VM's ability to service legitimate workloads.
Exploitation requires the attacker to hold Create Session and Create Procedure privileges. The attack complexity is rated high, meaning successful exploitation depends on conditions outside the attacker's direct control. The EPSS score is 0.231% as of the latest scoring.
Root Cause
The root cause is missing or insufficient resource limits within the Java VM component when processing operations initiated by authenticated database users. Without throttling, an attacker can consume Java VM resources to a degree that impairs availability. Oracle's advisory does not publicly disclose the specific code path or function affected.
Attack Vector
The attack vector is network-based via Oracle Net. The attacker must first authenticate to the database with a session that holds the Create Procedure privilege. From that session, the attacker submits requests that exercise the vulnerable Java VM code path. The result is partial service degradation rather than full database compromise.
No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. For additional technical context, refer to the Oracle Security Advisory.
Detection Methods for CVE-2024-21174
Indicators of Compromise
- Unexpected spikes in Java VM resource consumption (memory, CPU) on Oracle Database Server hosts
- Failed or stalled Java stored procedure executions originating from low-privileged accounts
- Sessions from accounts holding Create Session and Create Procedure repeatedly invoking Java VM operations
Detection Strategies
- Audit DBA_USERS and role grants to identify accounts that hold the Create Procedure privilege and review the legitimacy of each grant
- Enable Oracle Unified Auditing for procedure creation, replacement, and execution events tied to the Java VM
- Correlate Oracle alert log entries referencing ORA- errors from the Java VM with session origin data through a centralized log analytics platform
Monitoring Recommendations
- Forward Oracle audit trail and listener logs to a centralized SIEM for behavioral baselining of Java VM workloads
- Monitor Oracle Net connections from non-standard hosts or service accounts that should not invoke Java stored procedures
- Track resource usage trends per database session to flag anomalous Java VM activity patterns
How to Mitigate CVE-2024-21174
Immediate Actions Required
- Apply the July 2024 Oracle Critical Patch Update to all affected Oracle Database Server instances
- Inventory accounts holding Create Session and Create Procedure privileges and revoke grants that are not operationally required
- Restrict Oracle Net access to trusted application servers and administrative subnets using network ACLs or Oracle Connection Manager
Patch Information
Oracle released fixes for CVE-2024-21174 in the July 2024 Critical Patch Update. Administrators should apply the corresponding patch for their specific release branch: 19.24 or later for the 19c line, 21.15 or later for the 21c line, and the 23ai patched release for 23.4. Verify patch application using opatch lsinventory after installation.
Workarounds
- Revoke Create Procedure privilege from accounts that do not require Java stored procedure functionality
- Disable the Java VM component on database instances where Java stored procedures are not in use
- Implement Oracle Database Resource Manager plans to cap resource consumption for low-privileged user groups
# Configuration example: revoke Create Procedure from a non-essential account
sqlplus / as sysdba
REVOKE CREATE PROCEDURE FROM app_readonly_user;
# Verify remaining grants
SELECT grantee, privilege FROM dba_sys_privs
WHERE privilege = 'CREATE PROCEDURE';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
