Polski

SE-2014-01 Frequently Asked Questions

Last update: Nov-04-2014

Why did you look into Oracle Database security ?
We didn't plan to evaluate security of Oracle Database. This research was built upon "leftovers" from our Oracle Java Cloud Service project (unused bugs that didn't fit SE-2013-01 project).
What is Oracle Database Java VM ?
Oracle Database Java VM (Oracle JVM or Aurora VM) is a custom implementation of a Java Virtual Machine by Oracle that is tightly integrated with Oracle Database software.
Is there anything specific about discovered vulnerabilities ?
Discovered security issues violate Oracle's own "Secure Coding Guidelines for the Java Programming Language" [1]. Most of them demonstrate a very well known problem related to Java SE security (insecure use of Java Reflection API [2]). This API was a direct cause for dozens of security vulnerabilities in Java SE reported to the vendor in 2005, 2012 and 2013.
What is the impact of the issues found ?
A user of Oracle Database software with a bare minimum privilege required to connect and login to it (with a "CREATE SESSION" privilege only) can successfully compromise its security.
What about a requirement for a "CREATE PROCEDURE" privilege to define Java objects in Oracle Database [3] ?
We identified a vulnerability (Issue 20) that allows for an arbitrary bypass of that requirement.
Do discovered issues affect Java SE as well ?
No. They affect a Java VM implementation of Oracle Database software only.
How come database privileges can be elevated from Java ?
This is possible due to a tight integration of a Java VM and Oracle Database runtimes. Their security models do not really fit together. As a result, by combining a certain deficiency of Oracle Database security model with a Java VM implementation weakness a successful privilege elevation can be achieved.
Does it all mean that Java security vulnerabilities can pose a security risk to Oracle Database ?
Java security weaknesses can pose a significant security risk to any software that relies on a vulnerable Java VM implementation processing untrusted, potentially malicious Java code. Oracle Database is no exception here.
Unfortunately, as of Nov 04, 2014, Oracle Support Documents 360870.1 [4] and 1074055.1 [5] still contained misleading and inaccurate information about the impact of Java Security Vulnerabilities on Oracle Database and Fusion Middleware products.
Java exploits make it in particular easy to elevate privileges to an administrator role in the environment of Oracle Database software.
Which system platforms of Oracle Database software are affected to identified flaws ?
Discovered flaws are platform independent (Java level flaws). They affect all Oracle Database platforms that embed vulnerable Java VM implementation (HP-UX Itanium, IBM AIX on POWER Systems, IBM Linux on System z, Linux x86/x86-64, Oracle Solaris on SPARC/x86-64, Microsoft Windows x64).
Did you verify your findings on the most up-to-date version of Oracle Database software ?
Yes. Almost all vulnerabilities (Issues 1-20) were confirmed to affect both Oracle Database 11g and 12c for Windows x64 and Linux x86-64 with the most recent patches applied (corresponding Patch Bundles / Patch Set Updates from May and Jun 2014). The remaining 2 issues were confirmed to affect the most up-to-date version of Oracle Database 12c for the same platforms.
Is Oracle CPU from Jul 15, 2014 closing any of the vulnerabilities you reported to the company ?
No. As of Jul 24, 2014 all 22 vulnerabilities remain unpatched. We confirmed that they can be used to achieve arbitrary privilege elevation in Oracle Database 12c with Jul 2014 CPU applied.
Is Oracle CPU from Oct 14, 2014 closing any of the vulnerabilities you reported to the company ?
According to the status report received from Oracle on Oct 24, 2014, this CPU addresses all 22 security vulnerabilities reported. Not all fixes for them have been available to the public on the CPU date though. Oracle Support Document 1912224.1 [6] indicates that patches for many platforms were made available 1-3 weeks later.
As a response to our inquiry regarding the reasons of issuing incomplete CPU fixes, Oracle claimed that it occasionally allowed the patches to be released the end of the month when the CPU was issued.
How long did you work on this project ?
The whole research took us 4 months of work in total.
Do you plan to release more technical information about the issues uncovered ?
We plan to publish all vulnerabilities' details and Proof of Concept codes through our website.

References:

  1. [1] Secure Coding Guidelines for the Java Programming Language, Version 4.0
    http://www.oracle.com/technetwork/java/seccodeguide-139067.html
  2. [2] Security Vulnerabilities in Java SE, technical report
    http://www.security-explorations.com/materials/se-2012-01-report.pdf
  3. [3] Oracle Database Java Developer's Guide, 11g Release 2 (11.2)
    http://docs.oracle.com/cd/E18283_01/java.112/e10588.pdf
  4. [4] Impact of Java SE Security Vulnerabilities on Oracle Database and Fusion Middleware Products (Doc ID 360870.1) screenshot
  5. [5] Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products (Doc ID 1074055.1) screenshot
  6. [6] Patch Set Update and Critical Patch Update October 2014 Availability Document (Doc Id 1912224.1) screenshot

Copyright 2008-2017 Security Explorations. All Rights Reserved.