SB2021011912 - Multiple vulnerabilities in Oracle Database Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021011912

SB2021011912 - Multiple vulnerabilities in Oracle Database Server

Published: January 19, 2021

Security Bulletin ID SB2021011912
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 38% Low 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2021-2035)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the RDBMS Scheduler in Oracle Database Server. A remote authenticated user can exploit this vulnerability to execute arbitrary code.


2) Improper input validation (CVE-ID: CVE-2021-2018)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Advanced Networking Option in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


3) Improper input validation (CVE-ID: CVE-2021-2054)

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the execution of stored procedures in the RDBMS Sharding feature in Oracle Database Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.


4) Improper input validation (CVE-ID: CVE-2021-1993)

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to manipulate data.


5) Improper input validation (CVE-ID: CVE-2021-2045)

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Oracle Text in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.


6) Improper input validation (CVE-ID: CVE-2021-2000)

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Unified Audit in Oracle Database Server. A remote privileged user can exploit this vulnerability to manipulate data.


7) Cross-site scripting (CVE-ID: CVE-2021-2116)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Oracle Application Express Opportunity Tracker. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


8) Cross-site scripting (CVE-ID: CVE-2021-2117)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Oracle Application Express Survey Builder. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References