DB: Oracle Database DBMS_JAVA.SET_OUTPUT_TO_JAVA Privilege Escalation
This signature detects attempts to exploit a known flaw in Oracle. A vulnerability exists in Oracle Database 11g server that could allow users with limited privileges to execute SQL commands with SYS privileges on the server. The vulnerability is due to an access control weakness that allows non-privileged users to execute methods in the DBMS_JAVA package. Remote authenticated users with only CREATE_SESSION privileges can exploit this vulnerability via the SET_OUTPUT_TO_JAVA method and execute arbitrary SQL commands on the target server.
Extended Description
Oracle Database is prone to multiple remote privilege-escalation issues because it fails to properly restrict access to certain packages. The attacker can exploit these issues to escalate their privileges to DBA or execute arbitrary operating system commands with SYSTEM privileges, leading to a complete compromise of an affected computer. These vulnerabilities affect Oracle Database 11gR2. One of the issues also affects Oracle Database 10gR2.
Affected Products
Oracle oracle10g_standard_edition
Short Name
DB:ORACLE:DBMS:OUTPUT-TO-JAVA
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
DB
Keywords
CVE-2010-0867 DBMS_JAVA.SET_OUTPUT_TO_JAVA Database Escalation Oracle Privilege bid:38115
Release Date
11/12/2012
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Oracle
CVSS Score
4.0