Just FYI –
“Currently there are eight Proof of Concept (PoC) codes implementing three different privilege elevation techniques for gaining the administrator role in a target database environment”.
That being said, the proofs of concept are not publically available but there is also no patch at this time. The next scheduled updates from Oracle are on July 15.
Facilities, Real Estate & Auxiliary Services IT
University of Delaware
From: MS-ISAC Advisory [mailto:MS-ISAC.Advisory@msisac.org]
Sent: Tuesday, June 17, 2014 2:20 PM
To: William Pelgrin
Subject: CIS CYBER SECURITY ADVISORY – Multiple Vulnerabilities in Oracle Database Could Allow Remote Code Execution – TLP: WHITE
CIS CYBER SECURITY ADVISORY
CIS ADVISORY NUMBER:
Multiple Vulnerabilities in Oracle Database Could Allow Remote Code Execution
Multiple unspecified vulnerabilities have been discovered in Oracle Database that could allow remote code execution. Oracle Database is a database management system. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Currently there are eight Proof of Concept (PoC) codes implementing three different privilege elevation techniques for gaining the administrator role in a target database environment. However, none of these PoCs are available publicly. Please note that patch is not available at this time.
· Oracle Database 11g Release 2 (18.104.22.168.0) for Microsoft Windows x64
· Oracle Database 11g Release 2 (22.214.171.124.5) Patch Bundle 18590877 for Microsoft Windows x64
· Oracle Database 12c Release 1 (126.96.36.199.0) for Microsoft Windows x64
· Oracle Database 12c Release 1 (188.8.131.52.9) Bundle Patch 18724015 for Microsoft Windows x64
· Large and medium government entities: High
· Small government entities: High
· Large and medium business entities: High
· Small business entities: High
Home users: N/A
Twenty vulnerabilities have been reported for Oracle Database. Details of the vulnerabilities are not available at this time, however, it has been reported that a malicious user with the bare minimum privileges required to connect and login to Oracle Database can successfully execute arbitrary Java code on the Oracle Database.
Successful exploitation could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.
We recommend the following actions be taken:
· Update vulnerable Oracle Database products immediately after appropriate testing when a patch becomes available.
· Consider limiting access to Oracle Server until patch becomes available
· Consider implementing the CIS Benchmarks for Oracle Database Server
Center for Internet Security (CIS)
31 Tech Valley Drive
East Greenbush, NY 12061
7×24 SOC: 1-866-787-4722 (518-266-3488)
Follow us @CISecurity
Traffic Light Protocol (TLP): WHITE information may be distributed without restriction, subject to copyright controls.
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .