Oracle Database Server contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the database user.† Updates are not available.
Oracle Database Server contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the database user.
The vulnerability is due to a security weakness in the JAVA_ADMIN role. An attacker with the JAVA_ADMIN role and privileges to create procedures could exploit the vulnerability to run arbitrary commands on the underlying operating system with the privileges of the database server. Code execution could allow the attacker to escalate his privileges to those of OSDBA.
Functional exploit code is publicly available.
Oracle has not confirmed this vulnerability and updated software is not available.
Oracle Database Server version 10.2.0.3 is vulnerable.† Other versions may also be affected.
The JAVA_ADMIN role may appear to be a low-privileged account but, when combined with the privilege to create procedures, it can be used to create script files and run them on the underlying operating system. Any such code execution would take place with the privileges of the database server process and could result in a full compromise of the affected database.
Vendor announcements are not available.
An authenticated, remote attacker with the JAVA_ADMIN role could execute arbitrary commands on the underlying operating system with the privileges of the database server. This action could allow the attacker to escalate privileges to OSDBA.
The vulnerability exists because the JAVA_ADMIN role combined with the privilege to create procedures can allow an attacker to create script files on the underlying operating system and gain the privileges to execute the files.
An authenticated, remote attacker could run a command to change the OSDBA password to a known value. This action could allow privilege escalation to OSDBA.
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators are advised to grant JAVA_ADMIN privileges only to trusted users.
Administrators are advised to monitor affected systems for signs of suspicious activities.
The security vulnerability applies to the following combinations of products.
Oracle Database Server 10g
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.