Proof-of-concept code that exploits the Oracle Database Server remote privilege escalation vulnerability is publicly available.
Oracle Database Server 11gR2 contains a vulnerability that could allow an authenticated, remote attacker to gain elevated privileges on the affected database.
A well-known security researcher has disclosed a vulnerability in Oracle Database Server 11gR2. The vulnerability exists in the implementation of the Java language. An overly permissive grant of privileges could be exploited by an unprivileged user to gain elevated privileges on the database server. These privileges could allow the attacker to take full control of the database server. It could be possible for an unprivileged user to bypass Oracle's Label Security mandatory access controls.
Proof-of-concept code that exploits this vulnerability is publicly available.
Oracle has not confirmed this vulnerability and updated software is not available.
Oracle Database Server 11gR2, version 11.2, is vulnerable.
It is unclear what privileges an attacker would require to bypass Label Security; however, exploitation of the first part of the vulnerability could allow the attacker to execute operating system commands with the privileges of the Oracle database process. This privilege may be the one that is used to bypass Label Security.
Because the Oracle database runs as SYSTEM on Microsoft Windows-based systems, an attacker could leverage this vulnerability to execute arbitrary code on affected systems with SYSTEM privileges. An exploit could result in a full system compromise.
Vendor announcements are not available.
An authenticated, remote attacker could exploit this vulnerability to execute arbitrary code on an affected system with the privileges of the database user. The attacker could gain complete control over the affected database.
This vulnerability is in the IMPORT_JVM_PERMS procedure of the DBMS_JVM_EXP_PERMS package.
An authenticated, remote attacker could make a crafted call to IMPORT_JVM_PERMS to make the Java Virtual machine give the attacker the ability to run commands on the system, and to read and write files. Other database controls prevent the attacker from performing these actions. The restriction can be bypassed by making a crafted call to the SET_OUTPUT_TO_JAVA procedure in the DBMS_JAVA package, which can allow the attacker to run commands on the operating system with the privileges of the database process user. The execution of system commands could be taken advantage of to create a new user with DBA privileges.
Additionally, vulnerabilities in the Java implementation could allow an attacker to bypass Label Security by loading dynamic libraries into the database process. This action could allow the attacker to access restricted data.
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators are advised to only allow trusted users to have native SQL access.
Administrators may consider removing PUBLIC access to the DBMS_JAVA and DBMS_JVM_EXP_PERMS packages.
Administrators are advised to monitor affected systems.
Version 3, February 9, 2010, 9:58 AM: Additional information is available to describe the Oracle Database Server remote privilege escalation vulnerability.
Version 2, February 5, 2010, 1:48 PM: Additional technical information is available to describe the Oracle Database Server remote privilege escalation vulnerability.
Version 1, February 4, 2010, 12:52 PM: Oracle Database Server contains a vulnerability that could allow an authenticated, remote attacker to gain elevated privileges on the affected database. Updates are not available.
The security vulnerability applies to the following combinations of products.
Oracle Database Server 11g
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.