SB2023041844 - Multiple vulnerabilities in Oracle Database Server

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2022-45061)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. A remote attacker can pass a specially crafted name to he decoder, trigger resource excessive CPU consumption and perform a denial of service (DoS) attack.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-24998)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.

3) Improper input validation (CVE-ID: CVE-2023-21918)

The vulnerability allows a remote privileged user to a crash the entire system.

The vulnerability exists due to improper input validation within the Oracle Database Recovery Manager in Oracle Database Server. A remote privileged user can exploit this vulnerability to a crash the entire system.

4) Improper input validation (CVE-ID: CVE-2023-21934)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuapr2023.html?1408