Re: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

  • From: "David Litchfield" <david@xxxxxxxxxxxxxxxxxxxx>
  • To: <dreveewee@xxxxxxxxx>, "'Oracle-L Group'" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 24 Feb 2010 11:53:58 -0000

Hi Andre,
You should also revoke execute from PUBLIC on DBMS_JAVA, too, and grant execute 
to only those that require it. The SET_OUTPUT_TO_JAVA function can be used to 
run arbitrary SQL as SYS. Please see 
http://www.databasesecurity.com/HackingAurora.pdf for more details. On a side 
note, I'm glad that Oracle recognize that the principle of least privilege is 
important. Would be nice now if they act on this, and deliver a product which 
has a much tighter set of default privileges.
Cheers,
David
  ----- Original Message ----- 
  From: Andre van Winssen 
  To: 'Oracle-L Group' 
  Sent: Wednesday, February 24, 2010 7:23 AM
  Subject: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms 
security issues


  Oracle support just gave me following useful feedback regarding the security 
issues with oracle/aurora/util/Wrapper and dbms_jvm_exp_perms that I want to 
share with you.

   

  <quote>

  Hi Andre,

   

  One of the most important principles for securing systems is the "least 
privilege" principle (a.k.a. principle of "minimal privilege"). Under this 
principle, every process, user, etc. must be able to access only such 
information and resources that are necessary to achieve its intended function.

   

  As a result, Oracle recommends that, when possible, Database Administrators 
should:

   

  - revoke execute on "oracle/aurora/util/Wrapper" from public;

   

  This will revoke the Java function that allows Database users to call 
operating system functions as the Oracle user. This is applicable to all 
Database Versions.

   

  For Database versions 10gR2 and later:

  - grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;

  - grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;

  - revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

   

  The above steps will revoke the Java functions that allow Database users to 
set Java privileges for Database users, while granting back appropriate 
privileges for the Database Import/Export procedures and for the Database 
DataPump procedures that need them. 

   

  Note that neither "oracle/aurora/util/Wrapper" nor sys.dbms_jvm_exp_perms are 
described in Oracle documentation. If customers have used these undocumented 
and unsupported features, they may encounter regressions that can be resolved 
by granting back these privileges to appropriate trusted users as a temporary 
solution.

   

  Read about Oracle Critical Patch Update process and Security Alerts homepage:

  http://www.oracle.com/technology/deploy/security/alerts.htm 

   

  Oracle Security Vulnerability Fixing Policy is available at:

  http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

   

  ..

  </quote>

   

  Andre

   

Other related posts: