CVE-2021-2351
Last modified
CVE-2021-2351 is a high-severity vulnerability rated 8.3/10 on the CVSS scale. Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. EPSS estimates a 2.50% chance of exploitation in the next 30 days.
Description
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Advanced Networking Option | 12.1.0.2 |
| Oracle | Advanced Networking Option | 12.2.0.1 |
| Oracle | Advanced Networking Option | 19c |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.2.0 |
| Oracle | Agile Product Lifecycle Management For Process | 6.2.3.0 |
| Oracle | Airlines Data Model | 12.1.1.0.0 |
| Oracle | Airlines Data Model | 12.2.0.1.0 |
| Oracle | Application Performance Management | 13.4.1.0 |
| Oracle | Application Performance Management | 13.5.1.0 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Argus Analytics | 8.2.1 |
| Oracle | Argus Analytics | 8.2.2 |
| Oracle | Argus Analytics | 8.2.3 |
| Oracle | Argus Insight | 8.2.1 |
| Oracle | Argus Insight | 8.2.2 |
| Oracle | Argus Insight | 8.2.3 |
| Oracle | Argus Mart | 8.2.1 |
| Oracle | Argus Mart | 8.2.2 |
| Oracle | Argus Mart | 8.2.3 |
| Oracle | Argus Safety | 8.2.1 |
| Oracle | Argus Safety | 8.2.2 |
| Oracle | Argus Safety | 8.2.3 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Apis | 19.1 |
| Oracle | Banking Apis | 19.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Apis | 21.1 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 17.2 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Enterprise Default Management | 2.12.0 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Big Data Spatial And Graph | < 23.1 |
| Oracle | Blockchain Platform | 21.1.2 |
| Oracle | Clinical | 5.2.1 |
| Oracle | Clinical | 5.2.2 |
| Oracle | Commerce Platform | 11.3.0 |
| Oracle | Commerce Platform | 11.3.1 |
| Oracle | Commerce Platform | 11.3.2 |
| Oracle | Communications Application Session Controller | 3.9.0 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.5 |
Showing 50 of 248 affected configurations. See NVD for the full list.
References
- http://packetstormsecurity.com/files/165255/Oracle-Database-Protection-Mechanism-Bypass.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/165258/Oracle-Database-Weak-NNE-Integrity-Key-Derivation.htmlExploit, Third Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2021/Dec/19Exploit, Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Dec/20Exploit, Mailing List, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujan2023.htmlVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2021.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlVendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Vendor Advisory
- http://packetstormsecurity.com/files/165255/Oracle-Database-Protection-Mechanism-Bypass.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/165258/Oracle-Database-Weak-NNE-Integrity-Key-Derivation.htmlExploit, Third Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2021/Dec/19Exploit, Mailing List, Third Party Advisory
- http://seclists.org/fulldisclosure/2021/Dec/20Exploit, Mailing List, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujan2023.htmlVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2021.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlVendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-2351?
How severe is CVE-2021-2351?
How do I fix CVE-2021-2351?
Are you affected by CVE-2021-2351?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST