Title: CVE-2021-2207 - RMAN Controlfile Operation Not Audited  
Product: Database  
Manufacturer: Oracle  
Affected Version(s):,, 18c, 19c  
Tested Version(s): 19c  
Risk Level: low  
Score: 2.3  
Solution Status: Fixed  
CVE Reference: CVE-2021-2207  
Author of Advisory: Emad Al-Mousa  
Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN is  
a database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat or  
external attacker to view confidential data in unauthorized manner.  
Vulnerability Details:  
oracle database controlfile restore is not logged in unified auditing logs  
Proof of Concept (PoC):  
In this simulation, unified auditing logs the backup of controlfile successfully while restore operation was not as shown below:  
rman target /  
RMAN> backup current controlfile;  
RMAN> restore controlfile to '/tmp/emad_ctl.ctl';  
Querying Unified Audit logs:  
SQL> select audit_type,client_program_name,event_timestamp,rman_operation,rman_object_type,rman_device_type from unified_audit_trail where audit_type like 'RMAN%'' order by event_timestamp desc;  
control file backup was recorded under RMAN_OBJECT_TYPE column while restore operation was logged, but it was not clear for which database object….in our case its the controlfile !