CVE-2021-2335 in Database Server
Summary
by MITRE • 07/21/2021
Vulnerability in the Oracle Database - Enterprise Edition Data Redaction component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition Data Redaction. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition Data Redaction accessible data. CVSS 3.1 Base Score 3.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/22/2021
This vulnerability resides within the Oracle Database Enterprise Edition Data Redaction component, specifically affecting versions 12.1.0.2, 12.2.0.1, and 19c. The flaw represents a significant security weakness that enables low-privileged attackers with merely Create Session privileges to potentially compromise the data redaction functionality. The vulnerability operates through Oracle Net network protocols, requiring minimal attack complexity while leveraging the attacker's ability to establish network connections to the target database system. The CVSS 3.1 scoring of 3.5 indicates a moderate severity level with integrity impacts, reflecting the potential for unauthorized modification of database records through data redaction mechanisms.
The technical exploitation of this vulnerability requires an attacker to possess basic database session creation privileges and network access capabilities, making it particularly concerning for environments where such privileges might be more broadly distributed. The vulnerability's ease of exploitation means that attackers can potentially leverage this weakness to perform unauthorized update, insert, or delete operations against data that should be protected by the data redaction policies. This represents a direct violation of data integrity controls that organizations rely upon to protect sensitive information. The requirement for human interaction suggests that while the technical prerequisites are straightforward, successful exploitation may involve some form of social engineering or user-specific actions that facilitate the attack process.
The operational impact of this vulnerability extends beyond simple data modification, as it fundamentally undermines the security controls that data redaction mechanisms are designed to enforce. Organizations utilizing Oracle Database Enterprise Edition with data redaction features face potential exposure to unauthorized data manipulation that could compromise regulatory compliance requirements and data protection standards. The vulnerability's potential to affect data integrity aligns with CWE-284 access control weaknesses, specifically targeting improper access control within database security frameworks. This flaw particularly impacts the confidentiality and integrity aspects of the CIA triad, as attackers can manipulate data that should remain protected through redaction policies.
Mitigation strategies for this vulnerability should focus on immediate patch deployment from Oracle, as well as network-level controls that restrict access to database services and implement proper privilege management. Organizations should conduct comprehensive assessments of their data redaction configurations to identify any potential exploitation paths and implement additional monitoring for unauthorized database access attempts. The vulnerability's classification under ATT&CK technique T1078 for valid accounts and T1566 for social engineering highlights the need for layered security approaches that address both technical controls and user awareness training. Regular security audits of database privileges and network access controls should be implemented to prevent unauthorized access to database resources that could facilitate exploitation of similar vulnerabilities.