Login Sign Up

CVE-2022-21410

7.2 HIGH

📋 TL;DR

This vulnerability in Oracle Database 19c Enterprise Edition Sharding allows attackers with Create Any Procedure privilege and network access via Oracle Net to compromise the sharding component. Successful exploitation can lead to complete takeover of the Oracle Database Sharding system, affecting organizations running vulnerable Oracle Database configurations.

💻 Affected Systems

Products:
  • Oracle Database Server - Enterprise Edition Sharding
Versions: 19c
Operating Systems: All platforms running Oracle Database 19c
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Create Any Procedure privilege and Oracle Net network access

📦 What is this software?

Database by Oracle

View all CVEs affecting Database →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Database Sharding component leading to full database takeover, data exfiltration, integrity destruction, and service disruption.

🟠

Likely Case

Privileged attacker with network access and Create Any Procedure rights gains full control over sharding operations, potentially affecting data distribution and availability.

🟢

If Mitigated

With proper privilege controls and network segmentation, impact limited to authorized administrative functions only.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires high privilege (Create Any Procedure) but is described as 'easily exploitable' by Oracle

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update for April 2022 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update from Oracle Support
2. Apply patch to Oracle Database 19c installations
3. Restart database services
4. Verify patch application

🔧 Temporary Workarounds

Restrict Create Any Procedure Privilege

all

Remove or restrict Create Any Procedure privilege from non-essential users

REVOKE CREATE ANY PROCEDURE FROM <username>;

Network Access Controls

all

Restrict Oracle Net access to trusted networks only

Configure firewall rules to limit Oracle Net port access

🧯 If You Can't Patch

  • Implement strict privilege management - review and minimize users with Create Any Procedure privilege
  • Enforce network segmentation - restrict Oracle Net access to administrative networks only

🔍 How to Verify

Check if Vulnerable:

Check Oracle Database version and patch level: SELECT * FROM v$version; and check patch status

Check Version:

SELECT * FROM v$version; SELECT * FROM dba_registry_history;

Verify Fix Applied:

Verify Critical Patch Update April 2022 or later is applied and check patch registry

📡 Detection & Monitoring

Log Indicators:

  • Unusual CREATE PROCEDURE statements
  • Suspicious sharding component access
  • Privilege escalation attempts

Network Indicators:

  • Oracle Net traffic from unexpected sources
  • Unusual database connection patterns

SIEM Query:

source="oracle_audit" AND (event="CREATE PROCEDURE" OR privilege="CREATE ANY PROCEDURE")

📊 Metadata

CVE ID: CVE-2022-21410
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: April 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON