Login Sign Up

CVE-2021-2337

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Oracle XML DB allows high-privileged attackers with network access via Oracle Net to compromise the XML DB component, potentially leading to complete takeover. It affects Oracle Database Server versions 12.1.0.2, 12.2.0.1, and 19c. Attackers need Create Any Procedure and Create Public Synonym privileges to exploit this vulnerability.

💻 Affected Systems

Products:
  • Oracle Database Server
Versions: 12.1.0.2, 12.2.0.1, 19c
Operating Systems: All platforms running affected Oracle Database versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle XML DB component to be enabled and attacker needs Create Any Procedure and Create Public Synonym privileges.

📦 What is this software?

Database by Oracle

View all CVEs affecting Database →

Database by Oracle

View all CVEs affecting Database →

Database by Oracle

View all CVEs affecting Database →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle XML DB, allowing attackers to execute arbitrary code, access/modify sensitive data, and disrupt database operations.

🟠

Likely Case

Privileged attackers with network access gain full control over XML DB functionality, potentially escalating to broader database compromise.

🟢

If Mitigated

Limited impact if proper network segmentation, privilege restrictions, and patching are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Oracle describes it as 'easily exploitable' but requires specific high privileges. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update July 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2021.html

Restart Required: Yes

Instructions:

1. Download appropriate patch from My Oracle Support. 2. Apply patch following Oracle's patch application procedures. 3. Restart database instances. 4. Verify patch application.

🔧 Temporary Workarounds

Restrict Privileges

all

Remove Create Any Procedure and Create Public Synonym privileges from non-essential users

REVOKE CREATE ANY PROCEDURE FROM <username>;
REVOKE CREATE PUBLIC SYNONYM FROM <username>;

Network Access Control

all

Restrict Oracle Net access to trusted hosts only

Configure Oracle Net listener to accept connections only from authorized IP addresses

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle Database from untrusted networks
  • Apply principle of least privilege by removing unnecessary privileges from database users

🔍 How to Verify

Check if Vulnerable:

Check Oracle Database version and patch level: SELECT * FROM v$version; and check patch status in Oracle inventory

Check Version:

SELECT * FROM v$version;

Verify Fix Applied:

Verify patch application through Oracle OPatch utility: opatch lsinventory | grep -i 'XML DB'

📡 Detection & Monitoring

Log Indicators:

  • Unusual CREATE PROCEDURE or CREATE PUBLIC SYNONYM statements
  • Suspicious XML DB operations from unexpected sources

Network Indicators:

  • Oracle Net connections from unauthorized sources attempting XML DB operations

SIEM Query:

source="oracle_audit_logs" AND (event_type="CREATE PROCEDURE" OR event_type="CREATE PUBLIC SYNONYM") AND user_privilege="HIGH"

📊 Metadata

CVE ID: CVE-2021-2337
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON