CVE-2020-2517

Name of the Vulnerable Software and Affected Versions Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c

Description The issue is related to inadequate access control in the Database Gateway for ODBC component of Oracle Database Server. Exploitation of this issue may allow a remote attacker to modify, add, or delete data, or cause a partial denial of service using the OracleNet network protocol. The attacker must have high privileges, including Create Procedure and Create Database Link privileges, as well as network access via OracleNet. Successful attacks can result in unauthorized access to some data and partial denial of service.

Recommendations For versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c, consider restricting access to the Database Gateway for ODBC component until a patch is available. As a temporary workaround, limit the privileges of users with Create Procedure and Create Database Link privileges to minimize the risk of exploitation. Restrict network access via OracleNet to the Database Gateway for ODBC component to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.