CVE-2022-21432: 
Oracle Database Server vulnerability analysis and mitigation

CVE-2022-21432 is a security vulnerability affecting the Oracle Text component of Oracle Database Server. The vulnerability was discovered by Emad Al-Mousa of Saudi Aramco and affects Oracle Database Server versions 19.3-19.21. It is an easily exploitable vulnerability that requires a high-privileged attacker with DBA role privileges and network access via Oracle Net to compromise Oracle Text (Oracle CPU Jan 2024, Oracle CPU Jul 2022).

The vulnerability has a CVSS 3.1 Base Score of 2.7 (Availability impacts) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and unchanged scope (S:U). The impact is limited to availability with no confidentiality or integrity impacts (Oracle CPU Jan 2024).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Text. The impact is limited to availability aspects of the system, with no compromise to data confidentiality or integrity (Oracle CPU Jan 2024).

Oracle has released patches to address this vulnerability through their Critical Patch Update program. The fix is available for affected versions (19.3-19.21) of Oracle Database Server. Organizations are strongly recommended to apply these security patches as soon as possible to mitigate the risk (Oracle CPU Jan 2024).