1. Vulnerability Overview
Description
In OceanBase's Oracle tenant mode, a malicious user with specific privileges can achieve privilege escalation to SYS-level access by executing carefully crafted commands. This vulnerability only affects OceanBase tenants in Oracle mode. Tenants in MySQL mode are unaffected.
1.1 Affected Versions and Patch Information
⚠️: This vulnerability only affects Oracle tenants. Clusters using MySQL tenants are not impacted.
affected
● affected from 3.2.4.x before 3.2.4.8
● affected from 4.2.1 x before 4.2.1.10
● affected from 4.2.x before 4.2.5
● affected from 4.3.3.x before 4.3.3.2
unaffected
● unaffected at 4.3.4
1.2 CVSS Score
| Scoring standards | Score | Scoring vector |
| CVSS v3.1 | 6.3 | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:A/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:L/MA:L |
| CVSS v2 | 6.0 | AV:N/AC:M/Au:S/C:P/I:P/A:P |
1.3 Mitigation measures
Users can adopt the following measures to mitigate or avoid risks:
1. Revoke unnecessary CREATE PROCEDURE privileges from non-administrator accounts:
○ Use the following command to view non-administrator accounts with CREATE PROCEDURE privileges:
| SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE 'CREATE PROCEDURE' AND GRANTEE NOT IN ('SYS', 'DBA','ORAAUDITOR', 'RESOURCE'); |
○ Use the following command to revoke unnecessary CREATE PROCEDURE privileges from non-administrator accounts:
| REVOKE CREATE PROCEDURE FROM <YOUR_ACCOUNT>; |
2. Reduce security risks by either:
○ Avoiding direct exposure of database access ports to the public internet
○ Or restricting connections from untrusted network segments by configuring tenant whitelists
2. References
https://www.cve.org/CVERecord?id=CVE-2025-8107
