CVE-2020-2978

Vulnerability

CVE-2020-2978 affects Oracle Database Enterprise Edition versions 12.1.0.2, 12.2.0.1, 18c, and 19c. A DBA with network access via Oracle Net can exploit this flaw to perform unauthorized point-in-time recovery (PITR) of a sensitive table using RMAN, even when Unified Auditing is enabled and configured to audit SELECT statements on that table. The vulnerability resides in the RMAN audit logging mechanism: PITR operations are not recorded in the unified audit trail, despite the audit mode being set to IMMEDIATE WRITE and the audit policy covering the target table. [1]

Exploitation

An attacker must have DBA role privileges and network access to the Oracle database via Oracle Net. The attack sequence involves: (1) identifying a sensitive table with existing unified audit coverage for SELECT statements; (2) using RMAN to perform a point-in-time recovery of that table to a past state; (3) the recovery operation bypasses audit logging, leaving no record in DBA_AUDIT_TRAIL or UNIFIED_AUDIT_TRAIL. The attacker can then query the restored table without triggering further audit events, effectively concealing the data access. [1]

Impact

Successful exploitation grants unauthorized UPDATE, INSERT, or DELETE access to sensitive data in the restored table. The integrity impact is limited to that table (CVSS 4.1, Integrity only). No confidentiality or availability loss occurs. The attacker gains the ability to manipulate historical data without leaving forensic evidence in the audit logs, complicating post-incident investigations and real-time security monitoring. [1]

Mitigation

Oracle has not publicly disclosed a fix for this vulnerability as of the publication date (July 2020). No patch, workaround, or EOL status is provided in the reference. Organizations must rely on compensating controls: stricter DBA privilege management, enhanced monitoring of RMAN activity, or alternative audit mechanisms that capture PITR operations. Until a patch emerges, this issue remains unmitigated. [1]