Re: Oracle 0 day
Date: Mon, 22 Feb 2010 16:32:42 +0100
no, you better revoke execute to public from all three mentioned ones. But you need to test for consequences for things like datapump or any other feature that relies one way or the other on the database jvm when you do that.
to see the whole presentation of David Litchfield see http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html , and look for his movie and mp3
to see a good assessement of the DBMS_JVM_EXP_PERMS issue see PaulWright's
Note that exploits exist that work in 10g also.
to all: be warned, do not just let the bad guys know of features like this one.
> Quick question, does revoking just SYS.DBMS_JVM_EXP_PERMS fix the problem
> or do we need to do all 3? From looking at the exploit it seems that
> SYS.DBMS_JVM_EXP_PERMS is the problem but the published recommendation is to
> revoke all three.
> We have a some databases without SYS.DBMS_JVM_EXP_PERMS but which have one
> or the other so that might save some work.
> Jay Miller
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Andre van Winssen
> *Sent:* Friday, February 05, 2010 6:31 AM
> *To:* oracle-l_at_freelists.org
> *Subject:* Oracle 0 day
> Hi listmembers,
> the exploit code as published on http://blog.red-database-security.com/ by
> Alex works against 11gR1 and 11gR2 using a database user that only has
> CREATE SESSION priv.
> so production dba's : be warned. Obvious workaround is to revoke EXECUTE
> privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of that
> revocation on your own database needs to be tested.
> the blackhat movie (
> is currently unavailable for some reason :-