Vulnerability in Oracle Database Recovery Manager Affects Oracle Database Server
CVE-2023-21918

6.8MEDIUM

Key Information:

Vendor: Oracle
Status: Database - Enterprise Edition
Vendor: CVE Published:; 18 April 2023

Summary

A vulnerability exists in the Oracle Database Recovery Manager component of Oracle Database Server, which impacts versions 19c and 21c. This vulnerability is exploitable by attackers with Local SYSDBA privileges who have network access through Oracle Net. Successful exploitation can lead to unauthorized control over the Oracle Database Recovery Manager, potentially resulting in significant disruptions such as performance hangs or frequent crashes, thereby causing denial of service. Furthermore, while the vulnerability is focused on the Recovery Manager, its impact may extend to other components of the Oracle database ecosystem. Mitigation is recommended to prevent possible exploitation.

Affected Version(s)

Database - Enterprise Edition 19c

Database - Enterprise Edition 21c

References

https://www.oracle.com/security-alerts/cpuapr2023.html

vendor-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 18, 2023
Vulnerability Reserved
Dec 17, 2022