CVE-2021-2332: 
Oracle Database Server vulnerability analysis and mitigation

The vulnerability CVE-2021-2332 affects the Oracle LogMiner component of Oracle Database Server, discovered and disclosed in October 2021. The vulnerability impacts Oracle Database Server versions 12.1.0.2, 12.2.0.1, and 19c. This security flaw was identified by Eddie Zhu of Beijing DBSEC Technology Co., Ltd (Oracle Advisory).

The vulnerability is classified as easily exploitable and requires a high-privileged attacker with DBA privileges and network access via Oracle Net to compromise Oracle LogMiner. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.7, indicating a medium severity level. The CVSS vector is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H), which indicates network vector attack, low attack complexity, high privileges required, no user interaction needed, and unchanged scope (Oracle Advisory, NVD).

Successful exploitation of this vulnerability can result in multiple severe impacts: unauthorized creation, deletion or modification access to critical data or all Oracle LogMiner accessible data, unauthorized read access to a subset of Oracle LogMiner accessible data, and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle LogMiner (Oracle Advisory).

Oracle has released security patches for the affected versions (12.1.0.2, 12.2.0.1, and 19c) as part of the October 2021 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle Advisory).