|
Enterprises with Oracle databases face a significant threat from this Privilege Escalation Vulnerability. The vulnerability allows users to escalate their privileges resulting in increased security and compliance readiness risk. See details below.
Risk Level: High
Affected versions: Oracle 10gR1, 10gR2, 11gR1 and 11gR2
Remote exploitable: Yes - Only create Session privileges required
|
WEBINAR ON DEMAND
Protect Your Oracle Databases from the February 2010 Zero-Day Vulnerability
|
 |
|
|
 |
|
|
| Existing AppDetectivePro and DbProtect Users |
| Policy Download
|
Audit and Threat Management Filters Download for DbProtect
|
| |
| Important Documentation |
|
| New and Trial Users: |
| Find out if you are affected by the latest Oracle vulnerability. |
|
|
Details:
A Privilege Escalation vulnerability has been announced by a security researcher that allows an attacker to take complete control of an Oracle database system. Three packages related to ‘Aurora’ - Oracle's JAVA system are vulnerable, all of which are by default accessible to any user in the database. There is currently no patch available to correct this issue, however Oracle offers access control features that can easily be configured to eliminate or reduce the risk posed by this vulnerability.
This attack requires EXECUTE privileges on the following packages:
- SYS.DBMS_JAVA
- SYS.DBMS_JAVA_TEST
- SYS.DBMS_JVM_EXP_PERMS
By default, PUBLIC is granted EXECUTE on all three.
Impact:
This exploit has been shown to allow an attacker to:
- Assume the SYSDBA Role
- Execute any file on the host OS
- Load and run custom binary code within the Oracle process
- Circumvent Oracle Label Security
Vendor Status:
No patch is available from Oracle at this time.
Workaround:
There is currently no patch available for this vulnerability. However, Oracle offers access control features that can be configured to eliminate or reduce the risk posed by this issue.
Revoking EXECUTE privileges on the vulnerable packages is the most effective means to protect your systems. First, revoke execute privileges from PUBLIC, then perform a User Rights Review scan to determine if any users can still EXECUTE the vulnerable packages. Revoke any privileges on these packages that are not strictly required to perform job functions.
For those circumstances where database users or roles must be granted EXECUTE rights on the vulnerable DBMS_JAVA packages, we recommend monitoring the use of those packages using DbProtect's Audit & Threat Management module to ensure no exploits are attempted.
The following scripts can be used to REVOKE privileges on the vulnerable packages from PUBLIC. However, before executing these scripts on a production system be sure to test the changes to ensure they do not cause functional issues with applications using the database.
REVOKE EXECUTE on SYS.DBMS_JAVA from PUBLIC;
REVOKE EXECUTE on SYS.DBMS_JAVA_TEST from PUBLIC;
REVOKE EXECUTE on SYS.DBMS_JVM_EXP_PERMS from PUBLIC;
Fix:
This vulnerability was publicly disclosed on February 3, 2010. The vendor is aware of the issue and has not released a fix yet.
CVE:
N/A
Application Security, Inc's database security solutions have helped over 2,000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
|
