RE: Oracle 0 day

• From: <Jay.Miller@xxxxxxxxxxxxxxxx>
• To: <oracle-l@xxxxxxxxxxxxx>
• Date: Mon, 22 Feb 2010 09:57:37 -0500

Quick question, does revoking just SYS.DBMS_JVM_EXP_PERMS fix the
problem or do we need to do all 3?  From looking at the exploit it seems
that SYS.DBMS_JVM_EXP_PERMS is the problem but the published
recommendation is to revoke all three.
 
We have a some databases without SYS.DBMS_JVM_EXP_PERMS but which have
one or the other so that might save some work.
 
Thanks,

Jay Miller 


 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Andre van Winssen
Sent: Friday, February 05, 2010 6:31 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Oracle 0 day


Hi listmembers,
 
the exploit code as published on http://blog.red-database-security.com/
by Alex works against 11gR1 and 11gR2 using a database user that only
has CREATE SESSION priv. 
 
so production dba's : be warned. Obvious workaround is to revoke EXECUTE
privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of
that revocation on your own database needs to be tested.
 
the blackhat movie
(https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-
2010-Litchfield-DefeatSSL-video.mov) is currently unavailable for some
reason :-
 
Regards,
Andre

• Follow-Ups:
  • Re: Oracle 0 day
    • From: Andre van Winssen

• References:
  • Oracle 0 day
    • From: Andre van Winssen

Other related posts:

• » Oracle 0 day - Andre van Winssen
• » RE: Oracle 0 day - Jay.Miller
• » Re: Oracle 0 day - Andre van Winssen

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription