Polski

SE-2014-01 Press Info

16 June 2014, Poznan, Poland

Security Explorations, a security and vulnerability research company from Poland, discovered multiple security issues in the implementation of a Java VM embedded in Oracle Database software [1].

Discovered security issues violate many "Secure Coding Guidelines for the Java Programming Language" [2]. Most of them demonstrate a well known problem related to Java SE security. Among a total of 20 weaknesses discovered, there are issues that allow to create a specific Java security bypass condition or that facilitate the execution of arbitrary Java code on a target Oracle Database server without proper privileges.

Security Explorations developed reliable Proof of Concept codes for all of the issues found. This includes 8 exploit codes implementing 3 different privilege elevation techniques for gaining administrator role in a target database environment.

A malicious user with a bare minimum privilege required to connect and login to Oracle Database (with "CREATE SESSION" privilege only) can successfully compromise the security of the software that according to Oracle CEO "hasn't been broken into for a couple of decades by anybody" and that is "so secure, there are people that complain" [3].

The following versions of Oracle Database software were verified to be vulnerable to all 20 identified weaknesses:

  • Oracle Database 11g Release 2 (11.2.0.1.0) for Microsoft Windows x64
  • Oracle Database 11g Release 2 (11.2.0.4.5) Patch Bundle 18590877 for Microsoft Windows x64
  • Oracle Database 12c Release 1 (12.1.0.1.0) for Microsoft Windows x64
  • Oracle Database 12c Release 1 (12.1.0.1.9) Bundle Patch 18724015 for Microsoft Windows x64

On Jun 16 2014, Security Explorations sent a vulnerability notice to Oracle corporation containing detailed information about discovered vulnerabilities. Along with that, the company was also provided with source and binary codes for 8 Proof of Concept codes illustrating all security bypass issues and exploitation techniques.

References:

  1. [1] Oracle Database (http://www.oracle.com/database)
  2. [2] Secure Coding Guidelines for the Java Programming Language, Version 4.0
    (http://www.oracle.com/technetwork/java/seccodeguide-139067.html)
  3. [3] Oracle's Ellison downplays threat of NSA database snooping
    (http://www.reuters.com/article/2014/01/30/us-oracle-nsa-idUSBREA0T05U20140130)


Copyright 2008-2016 Security Explorations. All Rights Reserved.