SB2022041933 - Multiple vulnerabilities in Oracle Database Server

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2021-22569)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.

2) Improper input validation (CVE-ID: CVE-2022-21411)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the RDBMS Gateway / Generic ODBC Connectivity in Oracle Database Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.

3) Improper input validation (CVE-ID: CVE-2022-21498)

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to manipulate data.

4) Improper input validation (CVE-ID: CVE-2022-21410)

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Oracle Database - Enterprise Edition Sharding in Oracle Database Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuapr2022.html?1408