RE: Oracle 0 day

From: <Jay.Miller_at_tdameritrade.com>
Date: Mon, 22 Feb 2010 09:57:37 -0500
Message-ID: <CA405610095C8F42B6FEBFAAA09A7A2A0268FCF6_at_prdkcwsemlmb05.prod-am.ameritrade.com>

Quick question, does revoking just SYS.DBMS_JVM_EXP_PERMS fix the problem or do we need to do all 3? From looking at the exploit it seems that SYS.DBMS_JVM_EXP_PERMS is the problem but the published recommendation is to revoke all three.

We have a some databases without SYS.DBMS_JVM_EXP_PERMS but which have one or the other so that might save some work.

Thanks,

Jay Miller

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Andre van Winssen Sent: Friday, February 05, 2010 6:31 AM
To: oracle-l_at_freelists.org
Subject: Oracle 0 day

Hi listmembers,

the exploit code as published on http://blog.red-database-security.com/ by Alex works against 11gR1 and 11gR2 using a database user that only has CREATE SESSION priv.

so production dba's : be warned. Obvious workaround is to revoke EXECUTE privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of that revocation on your own database needs to be tested.

the blackhat movie
(https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC- 2010-Litchfield-DefeatSSL-video.mov) is currently unavailable for some reason :-

Regards,
Andre

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Feb 22 2010 - 08:57:37 CST

This message: [ Message body ]
Next message: Goulet, Richard: "RE: Documentation for reasons to NOT use RAC?"
Previous message: Hemant K Chitale: "RE: Documentation for reasons to NOT use RAC?"
In reply to: Andre van Winssen: "Oracle 0 day"
Next in thread: Andre van Winssen: "Re: Oracle 0 day"
Reply: Andre van Winssen: "Re: Oracle 0 day"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message