CVE-2024-20903: 
Oracle Database Server vulnerability analysis and mitigation

A vulnerability has been identified in the Java VM component of Oracle Database Server, tracked as CVE-2024-20903. The vulnerability affects Oracle Database Server versions 19.3-19.21 and 21.3-21.12. This security issue was disclosed in Oracle's January 2024 Critical Patch Update (Oracle CPU).

The vulnerability is characterized as easily exploitable and requires a low-privileged attacker with Create Session and Create Procedure privileges to have network access via Oracle Net. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.5, indicating a medium severity level. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, which indicates network vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no impact on confidentiality, high impact on integrity, and no impact on availability (NVD).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. The primary impact is on data integrity, with no direct effects on system confidentiality or availability (Oracle CPU).

Oracle has released security patches as part of the January 2024 Critical Patch Update to address this vulnerability. Organizations running affected versions (19.3-19.21 and 21.3-21.12) of Oracle Database Server should apply these patches as soon as possible. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay (Oracle CPU).