CVE-2026-35229 Overview
CVE-2026-35229 is a high-severity vulnerability affecting the Java VM component of Oracle Database Server. This improper access control flaw (CWE-284) allows an unauthenticated attacker with network access via Oracle Net to compromise the Java VM component, potentially resulting in unauthorized access to critical data or complete access to all Java VM accessible data.
The vulnerability is easily exploitable and does not require user interaction or privileges, making it a significant risk for organizations running affected versions of Oracle Database Server.
Critical Impact
Unauthenticated network attackers can gain unauthorized access to sensitive data stored within the Java VM component, potentially exposing all Java VM accessible data without any authentication requirements.
Affected Products
- Oracle Database Server 19.3-19.30
- Oracle Database Server 21.3-21.21
- Java VM component within Oracle Database Server
Discovery Timeline
- 2026-04-21 - CVE-2026-35229 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35229
Vulnerability Analysis
This vulnerability exists within the Java VM component of Oracle Database Server and falls under CWE-284 (Improper Access Control). The flaw enables unauthorized data access through the Oracle Net protocol without requiring authentication or user interaction.
The attack complexity is low, meaning exploitation does not require specialized conditions or circumstances. Once exploited, the attacker gains confidentiality impact, with the ability to access critical or all Java VM accessible data. There is no impact to integrity or availability of the system.
Root Cause
The root cause is improper access control within the Java VM component of Oracle Database Server. The component fails to properly validate or restrict network requests arriving via Oracle Net, allowing unauthenticated users to bypass intended access restrictions and retrieve sensitive data that should otherwise be protected.
Attack Vector
The attack is network-based and targets the Oracle Net protocol, which is the communication layer for Oracle Database connections. An attacker can exploit this vulnerability remotely without any authentication credentials.
The attack scenario involves:
- An attacker identifies an Oracle Database Server with the vulnerable Java VM component exposed via Oracle Net
- The attacker crafts malicious requests targeting the Java VM component
- Due to improper access controls, the request bypasses authentication checks
- The attacker gains access to sensitive data within the Java VM accessible scope
No proof-of-concept exploits have been publicly disclosed at this time, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-35229
Indicators of Compromise
- Unusual or unauthorized queries to the Java VM component from external IP addresses
- Unexpected network connections to Oracle Net ports (typically TCP 1521) from untrusted sources
- Database audit logs showing access patterns to Java VM accessible data without corresponding valid authentication events
- Anomalous data extraction volumes from the database server
Detection Strategies
- Monitor Oracle Net listener logs for connection attempts from unauthorized sources
- Enable Oracle Database auditing for Java VM component access and review logs for suspicious activity
- Deploy network intrusion detection rules to identify exploitation attempts targeting Oracle Net
- Implement SentinelOne Singularity platform for real-time endpoint detection and behavioral analysis of database server processes
Monitoring Recommendations
- Configure Oracle Database audit policies to capture all Java VM component interactions
- Set up alerts for authentication failures followed by successful data access patterns
- Monitor network traffic to Oracle Database servers for anomalous connection patterns
- Establish baseline behavior for Java VM component access and alert on deviations
How to Mitigate CVE-2026-35229
Immediate Actions Required
- Apply the Oracle Critical Patch Update (CPU) from April 2026 immediately
- Restrict network access to Oracle Database servers using firewall rules to allow only trusted IP addresses
- Review and audit current Java VM component permissions and access controls
- Disable the Java VM component if not required for business operations
- Implement network segmentation to isolate database servers from untrusted networks
Patch Information
Oracle has released a security patch addressing this vulnerability as part of the Oracle Critical Patch Update April 2026. Organizations should apply this update to all affected Oracle Database Server installations running versions 19.3-19.30 and 21.3-21.21.
Before applying the patch, ensure you have a complete backup of your database and test the update in a non-production environment. Follow Oracle's patching guidelines and verify successful installation by checking the applied patch inventory.
Workarounds
- Restrict Oracle Net listener access using valid node checking (VALID_NODE_CHECKING_REGISTRATION = ON in listener.ora)
- Implement Oracle Database Vault to add additional access controls around sensitive data
- Use Oracle Connection Manager to add an additional layer of network security between clients and databases
- Disable Java in the database if the Java VM component is not required: REVOKE JAVAUSERPRIV FROM PUBLIC;
- Configure Oracle Advanced Security for network encryption and additional authentication requirements
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
