Multiple vulnerabilities in Oracle Database Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2021-2035 CVE-2021-2018 CVE-2021-2054 CVE-2021-1993 CVE-2021-2045 CVE-2021-2000 CVE-2021-2116 CVE-2021-2117 |
| CWE-ID | CWE-20 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Database Server Server applications / Database software |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU49731
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-2035
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper input validation within the RDBMS Scheduler in Oracle Database Server. A remote authenticated user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: 12.1.0.2 - 19c
CPE2.3- cpe:2.3:a:oracle:oracle_database:12.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:18c:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU49732
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-2018
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Advanced Networking Option in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: 18c - 19c
CPE2.3- cpe:2.3:a:oracle:oracle_database:18c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19c:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU49733
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-2054
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
The vulnerability exists due to improper input validation within the execution of stored procedures in the RDBMS Sharding feature in Oracle Database Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: 12.2.0.1 - 19c
CPE2.3- cpe:2.3:a:oracle:oracle_database:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:18c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19c:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU49734
Risk: Medium
CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1993
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: 12.1.0.2 - 19c
CPE2.3- cpe:2.3:a:oracle:oracle_database:12.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:18c:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU49735
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-2045
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Oracle Text in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: 12.1.0.2 - 19c
CPE2.3- cpe:2.3:a:oracle:oracle_database:12.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:18c:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU49736
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-2000
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to manipulate data.
The vulnerability exists due to improper input validation within the Unified Audit in Oracle Database Server. A remote privileged user can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: 12.1.0.2 - 19c
CPE2.3- cpe:2.3:a:oracle:oracle_database:12.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:18c:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site scripting
EUVDB-ID: #VU49737
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-2116
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Oracle Application Express Opportunity Tracker. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: before 20.2
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU49738
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-2117
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Oracle Application Express Survey Builder. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOracle Database Server: before 20.2
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpujan2021.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
