2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
2.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.2 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.1%
Proof of concept exploit for Oracle RMAN on Oracle database versions 19c, 18c, 12.2.0.1, and 12.1.0.2 where an RMAN controlfile operation is not adequately logged.
Title: CVE-2021-2207 - RMAN Controlfile Operation Not Audited
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 19c
Risk Level: low
Score: 2.3
Solution Status: Fixed
CVE Reference: CVE-2021-2207
Author of Advisory: Emad Al-Mousa
Overview:
Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN is
a database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat or
external attacker to view confidential data in unauthorized manner.
*****************************************
Vulnerability Details:
oracle database controlfile restore is not logged in unified auditing logs
*****************************************
Proof of Concept (PoC):
In this simulation, unified auditing logs the backup of controlfile successfully while restore operation was not as shown below:
rman target /
RMAN> backup current controlfile;
RMAN> restore controlfile to '/tmp/emad_ctl.ctl';
Querying Unified Audit logs:
SQL> select audit_type,client_program_name,event_timestamp,rman_operation,rman_object_type,rman_device_type from unified_audit_trail where audit_type like 'RMAN%'' order by event_timestamp desc;
control file backup was recorded under RMAN_OBJECT_TYPE column while restore operation was logged, but it was not clear for which database object….in our case its the controlfile !
*****************************************
References:
https://www.oracle.com/security-alerts/cpuapr2021.html
https://databasesecurityninja.wordpress.com/2023/09/01/cve-2021-2207-rman-controlfile-operation-not-audited/
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
2.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.2 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.1%