Hello All,
Security Explorations discovered multiple security issues in the implementation
of a Java VM embedded in Oracle Database software [1].
Discovered security issues violate many "Secure Coding Guidelines for the
Java Programming Language" [2]. Most of them demonstrate a well known problem related to Java SE security. Among a total of 20 weaknesses discovered, there
are issues that allow to create a specific Java security bypass condition
or that facilitate the execution of arbitrary Java code on Oracle Database
server without proper privileges.
We developed reliable Proof of Concept codes for all of the issues found.
This includes 8 exploit codes implementing 3 different privilege elevation
techniques for gaining administrator role in a target database environment.
A malicious user with a bare minimum privilege required to connect and login
to Oracle Database (with "CREATE SESSION" privilege only) can successfully
compromise the security of the software that according to Oracle CEO "hasn't
been broken into for a couple of decades by anybody" and that is "so secure,
there are people that complain" [3].
The following versions of Oracle Database software were verified to be
vulnerable to all 20 identified weaknesses:
- Oracle Database 11g Release 2 (11.2.0.1.0) for Microsoft Windows x64
- Oracle Database 11g Release 2 (11.2.0.4.5) Patch Bundle 18590877 for
Microsoft Windows x64
- Oracle Database 12c Release 1 (12.1.0.1.0) for Microsoft Windows x64
- Oracle Database 12c Release 1 (12.1.0.1.9) Bundle Patch 18724015 for
Microsoft Windows x64
Our vulnerability report containing brief technical details of all identified
issues and exploitation techniques along with corresponding Proof of Concept
codes were sent to Oracle today.
It's been almost 2 years since Java Reflection API issues were brought to the public attention. Regardless of that, simple instances of these issues are still
present in Oracle products other than Java SE.
This is probably a good moment to remind what we said almost a year ago at the
time of wrapping up our Java SE security research [4]:
"If Oracle had any Software Security Assurance procedures adopted for Java SE,
most of simple Reflection API flaws along with a known, 10+ years old attack
should have been eliminated prior to Java SE 7 release. This didn't happen,
thus it is reasonable to assume that Oracle's security policies and procedures
are either not worth much or their implementation is far from perfect. That
thought alone should catch attention of Oracle customers not necessarily
relying on Java SE, but rather on other Oracle products, which were likely the
subject to the very same, questionable Software Security Assurance policies
and procedures as Java SE 7".
Thank you.
Best Regards,
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References:
[1] Oracle Database
http://www.oracle.com/database
[2] Secure Coding Guidelines for the Java Programming Language, Version 4.0
http://www.oracle.com/technetwork/java/seccodeguide-139067.html
[3] Oracle's Ellison downplays threat of NSA database snooping
http://www.reuters.com/article/2014/01/30/us-oracle-nsa-idUSBREA0T05U20140130
[4] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
http://seclists.org/fulldisclosure/2013/Jul/172