RE: Oracle 0 day

From: <>
Date: Mon, 22 Feb 2010 09:57:37 -0500
Message-ID: <>

Quick question, does revoking just SYS.DBMS_JVM_EXP_PERMS fix the problem or do we need to do all 3? From looking at the exploit it seems that SYS.DBMS_JVM_EXP_PERMS is the problem but the published recommendation is to revoke all three.  

We have a some databases without SYS.DBMS_JVM_EXP_PERMS but which have one or the other so that might save some work.  


Jay Miller  

[] On Behalf Of Andre van Winssen Sent: Friday, February 05, 2010 6:31 AM
Subject: Oracle 0 day

Hi listmembers,  

the exploit code as published on by Alex works against 11gR1 and 11gR2 using a database user that only has CREATE SESSION priv.  

so production dba's : be warned. Obvious workaround is to revoke EXECUTE privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of that revocation on your own database needs to be tested.  

the blackhat movie
( is currently unavailable for some reason :-  


Received on Mon Feb 22 2010 - 08:57:37 CST

Original text of this message