Oracle Database Java VM Holes

Friday, June 27, 2014 @ 03:06 PM gHale


There are 22 vulnerabilities affecting the custom Java Virtual Machine (JVM) implementation used in Oracle Database.

The issues affecting Oracle JVM (Aurora VM) came to Oracle last week by Poland-based security research company Security Explorations, which has been working on this for four months.

RELATED STORIES
Java to Android Ransomware Rescue
Oracle Releases Heartbleed Updates
Oracle Patches 104 Security Holes
Java 8 Released by Oracle

Oracle indirectly confirmed the existence of 20 of the 22 flaws. Some ended up fixed in the main codeline and are on schedule for a future Critical Patch Update (CPU), said Adam Gowdiak, Security Explorations chief executive said.

The remaining flaws are “under investigation/being fixed in main codeline.”

An attacker could use the vulnerabilities for privilege escalation and then execute arbitrary Java code on an affected Oracle Database server.

“By escaping the Java VM security sandbox of Oracle Database, one can easily gain database admin privileges in it. Java based exploits make such a privilege elevation in particular simple,” Gowdiak said. “Java security vulnerabilities can have a devastating effect not only for desktop users (Java Plugin in the browser), but also for cloud and database environments.”

The vulnerabilities are from flaws in the Java Reflection API, which has been responsible for quite a few Java SE security issues in 2012 and 2013, Gowdiak said.

Security Explorations successfully reproduced the exploits on Oracle Database 11g Release 2 (11.2.0.1.0) for Microsoft Windows x64, Oracle Database 11g Release 2 (11.2.0.4.5) Patch Bundle 18590877 for Microsoft Windows x64, Oracle Database 12c Release 1 (12.1.0.1.0) for Microsoft Windows x64 and Oracle Database 12c Release 1 (12.1.0.1.9) Bundle Patch 18724015 for Microsoft Windows x64.



Leave a Reply

You must be logged in to post a comment.