CVE-2021-2351
📋 TL;DR
This vulnerability in Oracle Database's Advanced Networking Option allows attackers to bypass network encryption protections and potentially compromise the component. It affects Oracle Database Server versions 12.1.0.2, 12.2.0.1, and 19c with Advanced Networking Option enabled. Successful exploitation requires network access via Oracle Net and human interaction from someone other than the attacker.
💻 Affected Systems
- Oracle Database Server with Advanced Networking Option
📦 What is this software?
Agile Engineering Data Management by Oracle
Agile Plm by Oracle
Agile Product Lifecycle Management For Process by Oracle
View all CVEs affecting Agile Product Lifecycle Management For Process →
Agile Product Lifecycle Management For Process by Oracle
View all CVEs affecting Agile Product Lifecycle Management For Process →
Application Performance Management by Oracle
View all CVEs affecting Application Performance Management →
Application Performance Management by Oracle
View all CVEs affecting Application Performance Management →
Banking Enterprise Default Management by Oracle
View all CVEs affecting Banking Enterprise Default Management →
Banking Enterprise Default Management by Oracle
View all CVEs affecting Banking Enterprise Default Management →
Clinical by Oracle
Clinical by Oracle
Communications Application Session Controller by Oracle
View all CVEs affecting Communications Application Session Controller →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Convergent Charging Controller by Oracle
View all CVEs affecting Communications Convergent Charging Controller →
Communications Diameter Intelligence Hub by Oracle
View all CVEs affecting Communications Diameter Intelligence Hub →
Communications Ip Service Activator by Oracle
View all CVEs affecting Communications Ip Service Activator →
Communications Metasolv Solution by Oracle
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Network Charging And Control by Oracle
View all CVEs affecting Communications Network Charging And Control →
Communications Network Integrity by Oracle
Communications Network Integrity by Oracle
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Documaker by Oracle
Documaker by Oracle
Documaker by Oracle
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Behavior Detection Platform by Oracle
View all CVEs affecting Financial Services Behavior Detection Platform →
Financial Services Behavior Detection Platform by Oracle
View all CVEs affecting Financial Services Behavior Detection Platform →
Financial Services Behavior Detection Platform by Oracle
View all CVEs affecting Financial Services Behavior Detection Platform →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Financial Services Foreign Account Tax Compliance Act Management by Oracle
View all CVEs affecting Financial Services Foreign Account Tax Compliance Act Management →
Financial Services Foreign Account Tax Compliance Act Management by Oracle
View all CVEs affecting Financial Services Foreign Account Tax Compliance Act Management →
Financial Services Foreign Account Tax Compliance Act Management by Oracle
View all CVEs affecting Financial Services Foreign Account Tax Compliance Act Management →
Financial Services Model Management And Governance by Oracle
View all CVEs affecting Financial Services Model Management And Governance →
Financial Services Trade Based Anti Money Laundering by Oracle
View all CVEs affecting Financial Services Trade Based Anti Money Laundering →
Financial Services Trade Based Anti Money Laundering by Oracle
View all CVEs affecting Financial Services Trade Based Anti Money Laundering →
Health Sciences Clinical Development Analytics by Oracle
View all CVEs affecting Health Sciences Clinical Development Analytics →
Health Sciences Inform Crf Submit by Oracle
Health Sciences Information Manager by Oracle
View all CVEs affecting Health Sciences Information Manager →
Health Sciences Information Manager by Oracle
View all CVEs affecting Health Sciences Information Manager →
Healthcare Translational Research by Oracle
Hospitality Inventory Management by Oracle
Hospitality Inventory Management by Oracle
Hospitality Reporting And Analytics by Oracle
View all CVEs affecting Hospitality Reporting And Analytics →
Hyperion Infrastructure Technology by Oracle
View all CVEs affecting Hyperion Infrastructure Technology →
Ilearning by Oracle
Ilearning by Oracle
Insurance Insbridge Rating And Underwriting by Oracle
View all CVEs affecting Insurance Insbridge Rating And Underwriting →
Insurance Insbridge Rating And Underwriting by Oracle
View all CVEs affecting Insurance Insbridge Rating And Underwriting →
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Professional Project Management by Oracle
View all CVEs affecting Primavera P6 Professional Project Management →
Primavera P6 Professional Project Management by Oracle
View all CVEs affecting Primavera P6 Professional Project Management →
Primavera P6 Professional Project Management by Oracle
View all CVEs affecting Primavera P6 Professional Project Management →
Primavera P6 Professional Project Management by Oracle
View all CVEs affecting Primavera P6 Professional Project Management →
Retail Extract Transform And Load by Oracle
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
Retail Store Inventory Management by Oracle
Retail Store Inventory Management by Oracle
Retail Store Inventory Management by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete takeover of the Advanced Networking Option component, potentially leading to full database compromise, data exfiltration, and system control.
Likely Case
Bypass of network encryption protections, allowing attackers to intercept or manipulate database communications.
If Mitigated
Limited impact with proper network segmentation, encryption enforcement, and updated cipher configurations.
🎯 Exploit Status
Exploitation requires human interaction (social engineering) and specific network conditions. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2021 Critical Patch Update and later
Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html
Restart Required: Yes
Instructions:
1. Apply Oracle Critical Patch Update from July 2021 or later. 2. Review and implement Native Network Encryption changes per Oracle Doc ID 2791571.1. 3. Restart database services.
🔧 Temporary Workarounds
Disable weak ciphers
allConfigure Native Network Encryption to use only strong ciphers and disable vulnerable cipher suites.
SQL> ALTER SYSTEM SET SQLNET.ENCRYPTION_TYPES_SERVER = (AES256) SCOPE=BOTH;
SQL> ALTER SYSTEM SET SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256) SCOPE=BOTH;
Network segmentation
allRestrict network access to Oracle Database ports (typically 1521) to trusted sources only.
🧯 If You Can't Patch
- Implement strict network access controls and firewall rules to limit Oracle Net connections
- Enable comprehensive logging and monitoring for unusual database network activity
🔍 How to Verify
Check if Vulnerable:
Check Oracle Database version and patch level: SQL> SELECT * FROM v$version; and SQL> SELECT * FROM dba_registry_history;Check Version:
SQL> SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';Verify Fix Applied:
Verify patch applied: SQL> SELECT comments FROM dba_registry_history WHERE action_time > '01-JUL-2021'; and check cipher configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual network encryption negotiation failures
- Multiple connection attempts with different cipher suites
- Oracle Net protocol anomalies
Network Indicators:
- Unusual traffic patterns on Oracle Net ports
- Attempts to negotiate weak encryption ciphers
- Suspicious database connection attempts
SIEM Query:
source="oracle_audit.log" AND (event="NETWORK_ENCRYPTION_FAILURE" OR cipher_suite="*weak*")🔗 References
- http://packetstormsecurity.com/files/165255/Oracle-Database-Protection-Mechanism-Bypass.html
- http://packetstormsecurity.com/files/165258/Oracle-Database-Weak-NNE-Integrity-Key-Derivation.html
- http://seclists.org/fulldisclosure/2021/Dec/19
- http://seclists.org/fulldisclosure/2021/Dec/20
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2023.html
- https://www.oracle.com/security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://packetstormsecurity.com/files/165255/Oracle-Database-Protection-Mechanism-Bypass.html
- http://packetstormsecurity.com/files/165258/Oracle-Database-Weak-NNE-Integrity-Key-Derivation.html
- http://seclists.org/fulldisclosure/2021/Dec/19
- http://seclists.org/fulldisclosure/2021/Dec/20
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2023.html
- https://www.oracle.com/security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
