CVE-2023-22074: 
Oracle Database Server vulnerability analysis and mitigation

A vulnerability (CVE-2023-22074) was identified in the Oracle Database Sharding component of Oracle Database Server, affecting versions 19.3-19.20 and 21.3-21.11. This vulnerability allows high privileged attackers with Create Session and Select Any Dictionary privileges to potentially compromise Oracle Database Sharding through Oracle Net access (Oracle Advisory).

The vulnerability has been assigned a CVSS 3.1 Base Score of 2.4 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L. The attack requires network access via Oracle Net and high privileges, specifically Create Session and Select Any Dictionary permissions. Additionally, successful exploitation requires human interaction from a person other than the attacker (Oracle Advisory).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding. The impact is limited to availability, with no direct effects on confidentiality or integrity (Oracle Advisory).

Oracle has released patches for this vulnerability as part of the October 2023 Critical Patch Update. Organizations running affected versions (19.3-19.20 and 21.3-21.11) should apply these security patches as soon as possible. Until patches can be applied, organizations should carefully review and restrict access to Create Session and Select Any Dictionary privileges (Oracle Advisory).

The vulnerability was discovered and reported by Emad Al-Mousa of Saudi Aramco, demonstrating ongoing security research efforts in the database security community (Oracle Advisory).