| Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them. |
|
 |
|
|
|
vulnerability note 9414
Oracle Database: privilege elevation via DBMS_JVM/DBMS_JAVA
Synthesis of the vulnerability
| An attacker, authenticated on an Oracle database, can call procedures of DBMS_JVM_EXP_PERMS and DBMS_JAVA, in order to execute commands with system privileges. |
Severity: 2/4.
Creation date: 08/02/2010.
|
Description of the vulnerability
The DBMS_JVM_EXP_PERMS package is used during Oracle updates. The DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS procedure changes Java privileges of the user.
The DBMS_JAVA package creates and manipulates Java applications from SQL. The DBMS_JAVA.SET_OUTPUT_TO_JAVA procedure defines a method to call when a Java application writes on System.out/err.
By combining DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS and DBMS_JAVA.SET_OUTPUT_TO_JAVA, an attacker can elevate his privileges and execute a shell command.
An attacker, authenticated on an Oracle database, can thus execute commands with system privileges. |
Complete Vigil@nce bulletin
Characteristics
Title: Oracle Database: privilege elevation via DBMS_JVM/DBMS_JAVA.
Keywords: DBMS_JAVA DBMS_JVM DBMS_JVM_EXP_PERMS Database ET_OUTPUT_TO_JAVA Java MPORT_JVM_PERMS Oracle SQL System elevation privilege.
Identifiers: BID-38115, VIGILANCE-VUL-9414.
|
Information sources
Solutions for this vulnerability
Computer vulnerabilities tracking service
The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities
|
