SB2023101771 - Multiple vulnerabilities in Oracle Database Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023101771

SB2023101771 - Multiple vulnerabilities in Oracle Database Server

Published: October 17, 2023

Security Bulletin ID SB2023101771
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 40% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2023-22074)

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Oracle Database Sharding in Oracle Database Server. A remote privileged user can exploit this vulnerability to perform service disruption.


2) Improper input validation (CVE-ID: CVE-2023-22075)

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Oracle Database Sharding in Oracle Database Server. A remote privileged user can exploit this vulnerability to perform service disruption.


3) Improper input validation (CVE-ID: CVE-2023-35116)

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Oracle Database Fleet Patching and Provisioning (jackson-databind) in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.


4) Improper input validation (CVE-ID: CVE-2023-22073)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Oracle Notification Server in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


5) Improper input validation (CVE-ID: CVE-2023-22096)

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to manipulate data.


6) Improper input validation (CVE-ID: CVE-2023-22077)

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Oracle Database Recovery Manager in Oracle Database Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.


7) Improper input validation (CVE-ID: CVE-2023-22071)

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the PL/SQL in Oracle Database Server. A remote privileged user can exploit this vulnerability to read and manipulate data.


8) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23491)

The vulnerability allows a remote attacker to bypass certificate validation checks.

The vulnerability exists due to presence of the TrustCor certificate in the Root Certificates list. the certificate is removed due to TrustCor's ownership also operated a business that produced spyware. Therefore, any checks that rely on digital signatures of trusted certificates were compromised.


9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2022-44729)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


10) Resource exhaustion (CVE-ID: CVE-2023-38039)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not limit the size of received headers from a single request that are stored for future reference. A remote attacker can send overly large HTTP responses to the application and consume all memory resources.


Remediation

Install update from vendor's website.

References