CVE-2024-21126: 
Oracle Database Server vulnerability analysis and mitigation

A vulnerability (CVE-2024-21126) has been identified in the Oracle Database Portable Clusterware component of Oracle Database Server. The vulnerability affects versions 19.3-19.23 and 21.3-21.14. This is an easily exploitable vulnerability that allows unauthenticated attackers with network access via DNS to compromise Oracle Database Portable Clusterware (Oracle CPU).

The vulnerability has been assigned a CVSS 3.1 Base Score of 5.8 (Availability impacts) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L. The technical characteristics indicate that it is a low-complexity attack that requires no privileges or user interaction, but has a changed scope impact. The attack vector is network-based through DNS protocol (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Portable Clusterware. While the vulnerability is in Oracle Database Portable Clusterware, attacks may significantly impact additional products due to scope change (Oracle CPU).

Oracle has released security patches to address this vulnerability as part of the July 2024 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches without delay. The patches are available for supported versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy (Oracle CPU).