CVE-2021-35576
Description
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
High-privileged attacker can bypass custom Unified Audit policies in Oracle Database by starting the database in upgrade mode.
Vulnerability
In Oracle Database Enterprise Edition Unified Audit component (versions 12.1.0.2, 12.2.0.1, 19c), custom audit policies are not enforced when the database is started in upgrade mode (startup upgrade). Only default audit policies (such as ORA_SECURECONFIG and ORA_LOGON_FAILURES) remain active in this mode, allowing any action on objects covered by custom policies to go unrecorded in the UNIFIED_AUDIT_TRAIL view [1].
Exploitation
An attacker must have high privileges (ALTER DATABASE and STARTUP) with network access via Oracle Net. The attacker executes the following sequence: (1) Shut down the database, (2) Restart it in upgrade mode (startup upgrade), (3) Perform the restricted operation (e.g., SELECT from a table protected by a custom audit policy), (4) Restart the database normally. During upgrade mode, the action is not audited, leaving no trace in the unified audit trail [1].
Impact
Successful exploitation results in unauthorized update, insert, or delete access to some data within the Oracle Database Enterprise Edition Unified Audit component. The CVSS 3.1 base score is 2.7 (Integrity only), meaning the attacker can modify data without affecting confidentiality or availability. The attack does not require user interaction but does require high privileges and network access [description].
Mitigation
Oracle fixed this vulnerability in the October 2021 Critical Patch Update (CPU) [1]. Organizations should apply the latest CPU for their affected Oracle Database versions (12.1.0.2, 12.2.0.1, 19c). There is no known workaround beyond applying the patch. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 12.1.0.2, 12.2.0.1, 19c
- Range: 12.1.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/170354/Oracle-Unified-Audit-Policy-Bypass.htmlmitre
- packetstormsecurity.com/files/170373/Oracle-Database-Vault-Metadata-Exposure.htmlmitre
- databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/mitre
- www.oracle.com/security-alerts/cpuoct2021.htmlmitre
News mentions
0No linked articles in our index yet.