In a result of its research investigation efforts, Security Explorations discovered multiple security vulnerabilities in the implementation of a Java VM embedded in Oracle Database software.
This section of our website presents initial information regarding the project that lead to this discovery:
We didn't plan to evaluate security of Oracle Database. This research was built upon "leftovers" from our Oracle Java Cloud Service project (unused bugs that didn't fit SE-2013-01 project).
Oracle Database Java VM (Oracle JVM or Aurora VM) is a custom implementation of a Java Virtual Machine by Oracle that is tightly integrated with Oracle Database software.
Discovered security issues violate Oracle's own "Secure Coding Guidelines for the Java Programming Language" [1]. Most of them demonstrate a very well known problem related to Java SE security (insecure use of Java Reflection API [2]). This API was a direct cause for dozens of security vulnerabilities in Java SE reported to the vendor in 2005, 2012 and 2013.
A user of Oracle Database software with a bare minimum privilege required to connect and login to it (with a "CREATE SESSION" privilege only) can successfully compromise its security.
We identified a vulnerability (Issue 20) that allows for an arbitrary bypass of that requirement.
No. They affect a Java VM implementation of Oracle Database software only.
This is possible due to a tight integration of a Java VM and Oracle Database runtimes. Their security models do not really fit together. As a result, by combining a certain deficiency of Oracle Database security model with a Java VM implementation weakness a successful privilege elevation can be achieved.
Java security weaknesses can pose a significant security risk to any software that relies on a vulnerable Java VM implementation processing untrusted, potentially malicious Java code. Oracle Database is no exception here.
Unfortunately, as of Nov 04, 2014, Oracle Support Documents 360870.1 [4] and 1074055.1 [5] still contained misleading and inaccurate information about the impact of Java Security Vulnerabilities on Oracle Database and Fusion Middleware products.
Java exploits make it in particular easy to elevate privileges to an administrator role in the environment of Oracle Database software.
Discovered flaws are platform independent (Java level flaws). They affect all Oracle Database platforms that embed vulnerable Java VM implementation (HP-UX Itanium, IBM AIX on POWER Systems, IBM Linux on System z, Linux x86/x86-64, Oracle Solaris on SPARC/x86-64, Microsoft Windows x64).
Yes. Almost all vulnerabilities (Issues 1-20) were confirmed to affect both Oracle Database 11g and 12c for Windows x64 and Linux x86-64 with the most recent patches applied (corresponding Patch Bundles / Patch Set Updates from May and Jun 2014). The remaining 2 issues were confirmed to affect the most up-to-date version of Oracle Database 12c for the same platforms.
No. As of Jul 24, 2014 all 22 vulnerabilities remain unpatched. We confirmed that they can be used to achieve arbitrary privilege elevation in Oracle Database 12c with Jul 2014 CPU applied.
According to the status report received from Oracle on Oct 24, 2014, this CPU addresses all 22 security vulnerabilities reported. Not all fixes for them have been available to the public on the CPU date though. Oracle Support Document 1912224.1 [6] indicates that patches for many platforms were made available 1-3 weeks later.
As a response to our inquiry regarding the reasons of issuing incomplete CPU fixes, Oracle claimed that it occasionally allowed the patches to be released the end of the month when the CPU was issued.
The whole research took us 4 months of work in total.
We plan to publish all vulnerabilities' details and Proof of Concept codes through our website.
Last update: Jun-21-2014
Impact characteristics of the Proof of Concept (PoC) codes developed during the research of Oracle Database Java VM security:
This page presents details of security vulnerabilities and attack techniques discovered as a result of our Oracle Database Java VM security research project. These details are provided in a form of original vulnerability reports and accompanying Proof of Concept Codes.
Additionally, the slides for a keynote talk given at JavaLand conference in 2016 are also provided. This talk referred to SE-2014-01 and our other research projects while discussing key problems related to Java platform security, its ecosystem and vendors.
Proof of Concept Codes below are provided purely for educational purposes only. It is expressly forbidden to use them for any purposes that would violate any domestic or international laws. If you do not agree with this policy, please leave this page.
This page presents current status of the communication process with vendors of affected technologies.
