Login Sign Up

CVE-2024-20909

7.5 HIGH

📋 TL;DR

This vulnerability in Oracle Audit Vault and Database Firewall allows unauthenticated attackers with network access via Oracle Net to modify or delete critical data. It affects versions 20.1 through 20.9, potentially compromising the integrity of firewall audit data and configurations.

💻 Affected Systems

Products:
  • Oracle Audit Vault and Database Firewall
Versions: 20.1 through 20.9
Operating Systems: Not specified - Oracle appliance/software
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle Net network access to the firewall component. All supported versions in the range are affected.

📦 What is this software?

Audit Vault And Database Firewall by Oracle

View all CVEs affecting Audit Vault And Database Firewall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete or alter all audit logs and firewall rules, destroying forensic evidence and disabling security controls.

🟠

Likely Case

Attackers would modify or delete specific audit records to cover tracks or disrupt compliance reporting.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to isolated segments.

🌐 Internet-Facing: HIGH - Unauthenticated network access makes internet-exposed instances prime targets.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires Oracle Net access to vulnerable component.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes as 'easily exploitable' with no authentication required via Oracle Net protocol.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update January 2024

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2024.html

Restart Required: Yes

Instructions:

1. Download appropriate patch from Oracle Support. 2. Apply patch following Oracle documentation. 3. Restart Oracle Audit Vault and Database Firewall services. 4. Verify patch application.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict Oracle Net access to trusted hosts only using firewall rules.

iptables -A INPUT -p tcp --dport 1521 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP

Access Control Lists

all

Implement network ACLs to limit Oracle Net connections to administrative systems only.

🧯 If You Can't Patch

  • Isolate Oracle Audit Vault and Database Firewall on separate VLAN with strict access controls.
  • Implement network monitoring for unusual Oracle Net traffic patterns to/from the appliance.

🔍 How to Verify

Check if Vulnerable:

Check Oracle Audit Vault and Database Firewall version via admin console or command: avctl status

Check Version:

avctl version

Verify Fix Applied:

Verify patch applied via Oracle patch verification tools and check version is above 20.9.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized Oracle Net connection attempts
  • Unexpected data modification events in audit logs
  • Configuration changes from unauthenticated sources

Network Indicators:

  • Oracle Net traffic from unexpected sources
  • Burst of Oracle Net connections
  • Unusual data volume over Oracle Net

SIEM Query:

source="oracle_avdf" AND (event_type="data_modification" OR event_type="config_change") AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2024-20909
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: February 17, 2024
Last Updated: November 27, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON