CVE-2023-21893

Vulnerability

Description

CVE-2023-21893 is a vulnerability in the Oracle Data Provider for .NET (ODP.NET) component of Oracle Database Server, affecting versions 19c and 21c. The vulnerability also applies to the database client-only installation on Windows platforms [1][2][3]. The root cause lies in how ODP.NET handles TCPS (TCP with SSL/TLS) connections, allowing an unauthenticated attacker with network access to exploit the component under specific conditions.

Exploitation

The vulnerability is rated as difficult to exploit, requiring high attack complexity. An unauthenticated attacker can gain network access via TCPS to compromise the ODP.NET component. However, successful exploitation requires human interaction from a person other than the attacker, meaning the victim must perform some action (e.g., connect to a malicious server) to trigger the flaw [3]. The attack surface is limited to platforms where TCPS is used, and the prerequisite is network-level access to the target service.

Impact

If successfully exploited, the attacker can achieve a complete takeover of the Oracle Data Provider for .NET component, which results in compromise of confidentiality, integrity, and availability (CVSS 3.1 Base Score 7.5) [3]. This degree of control could allow an attacker to intercept or modify data transmitted between the client and the database, potentially leading to further compromise of the database server.

Mitigation

Oracle has addressed this vulnerability in subsequent releases. Affected users should update ODP.NET packages to the latest versions: for the ODP.NET Core managed driver, upgrade to version 3.21.90 or later [1]; for the ODP.NET Managed Driver for .NET Framework, upgrade to version 21.9.0 or later [2]. As part of the Oracle Critical Patch Update for January 2023, these updates provide the necessary fix. No workarounds are documented, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.