[SE-2014-01] Security vulnerabilities in Oracle Database Java VM


Hello All, Security Explorations discovered multiple security issues in the implementation of a Java VM embedded in Oracle Database software [1]. Discovered security issues violate many "Secure Coding Guidelines for the Java Programming Language" [2]. Most of them demonstrate a well known problem related to Java SE security. Among a total of 20 weaknesses discovered, there are issues that allow to create a specific Java security bypass condition or that facilitate the execution of arbitrary Java code on Oracle Database server without proper privileges. We developed reliable Proof of Concept codes for all of the issues found. This includes 8 exploit codes implementing 3 different privilege elevation techniques for gaining administrator role in a target database environment. A malicious user with a bare minimum privilege required to connect and login to Oracle Database (with "CREATE SESSION" privilege only) can successfully compromise the security of the software that according to Oracle CEO "hasn't been broken into for a couple of decades by anybody" and that is "so secure, there are people that complain" [3]. The following versions of Oracle Database software were verified to be vulnerable to all 20 identified weaknesses: - Oracle Database 11g Release 2 ( for Microsoft Windows x64 - Oracle Database 11g Release 2 ( Patch Bundle 18590877 for Microsoft Windows x64 - Oracle Database 12c Release 1 ( for Microsoft Windows x64 - Oracle Database 12c Release 1 ( Bundle Patch 18724015 for Microsoft Windows x64 Our vulnerability report containing brief technical details of all identified issues and exploitation techniques along with corresponding Proof of Concept codes were sent to Oracle today. It's been almost 2 years since Java Reflection API issues were brought to the public attention. Regardless of that, simple instances of these issues are still present in Oracle products other than Java SE. This is probably a good moment to remind what we said almost a year ago at the time of wrapping up our Java SE security research [4]: "If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect. That thought alone should catch attention of Oracle customers not necessarily relying on Java SE, but rather on other Oracle products, which were likely the subject to the very same, questionable Software Security Assurance policies and procedures as Java SE 7". Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Oracle Database http://www.oracle.com/database [2] Secure Coding Guidelines for the Java Programming Language, Version 4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html [3] Oracle's Ellison downplays threat of NSA database snooping http://www.reuters.com/article/2014/01/30/us-oracle-nsa-idUSBREA0T05U20140130 [4] [SE-2012-01] New Reflection API affected by a known 10+ years old attack http://seclists.org/fulldisclosure/2013/Jul/172