Login Sign Up

CVE-2021-35619

7.1 HIGH

📋 TL;DR

This vulnerability in Oracle Database Server's Java VM component allows attackers with low privileges (Create Procedure access) and network access via Oracle Net to potentially compromise the Java VM. Successful exploitation requires human interaction from someone other than the attacker and could lead to complete takeover of the Java VM. Affected versions include Oracle Database Server 12.1.0.2, 12.2.0.1, 19c, and 21c.

💻 Affected Systems

Products:
  • Oracle Database Server
Versions: 12.1.0.2, 12.2.0.1, 19c, 21c
Operating Systems: All platforms running affected Oracle Database versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Create Procedure privilege and Oracle Net network access. Human interaction from another user is required for successful exploitation.

📦 What is this software?

Java Virtual Machine by Oracle

View all CVEs affecting Java Virtual Machine →

Java Virtual Machine by Oracle

View all CVEs affecting Java Virtual Machine →

Java Virtual Machine by Oracle

View all CVEs affecting Java Virtual Machine →

Java Virtual Machine by Oracle

View all CVEs affecting Java Virtual Machine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Java VM component leading to potential data exfiltration, system manipulation, or denial of service across the entire Oracle Database instance.

🟠

Likely Case

Limited impact due to the requirement for human interaction and low privilege access, but could still result in unauthorized access to sensitive database functions or data.

🟢

If Mitigated

Minimal to no impact if proper access controls, network segmentation, and user awareness training are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires low privileged access, network connectivity, and human interaction from another user, making it difficult to exploit in practice.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update October 2021

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from My Oracle Support. 2. Apply the patch following Oracle's patch application procedures. 3. Restart the Oracle Database instance and any dependent services.

🔧 Temporary Workarounds

Restrict Create Procedure Privilege

all

Limit Create Procedure privilege to only essential users to reduce attack surface

REVOKE CREATE PROCEDURE FROM <username>;

Network Access Controls

all

Restrict Oracle Net access to trusted networks only

Configure firewall rules to limit Oracle Net port access (typically 1521)

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Oracle Database servers from untrusted networks
  • Enforce least privilege access controls and regularly audit user privileges

🔍 How to Verify

Check if Vulnerable:

Check Oracle Database version and patch level using SQL query: SELECT * FROM v$version; and review patch history

Check Version:

sqlplus / as sysdba
SELECT * FROM v$version;

Verify Fix Applied:

Verify patch application by checking patch level and confirming version is no longer in affected range

📡 Detection & Monitoring

Log Indicators:

  • Unusual Java VM activity
  • Failed privilege escalation attempts
  • Suspicious CREATE PROCEDURE statements

Network Indicators:

  • Unusual Oracle Net traffic patterns
  • Connection attempts from unauthorized sources

SIEM Query:

source="oracle_audit_logs" AND (event_type="CREATE_PROCEDURE" OR component="Java VM")

📊 Metadata

CVE ID: CVE-2021-35619
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON