Securing Java In Oracle [PDF]
It is an interesting case of coincidental timing that within a week of the Oracle Sun deal being finalised by the EU1 that the Blackhat conference in DC should publish David Litchfield’s research for NGS Software 2, on how to escalate privilege using the Java functionality built into the Oracle DB 3. David’s research is not patched yet so would normally have only been made privy to the Administrators at Oracle’s SecAlert, but it has been made “Public” so it is now risk mitigation time.
Thankfully these Java related Oracle vulnerabilities have been discussed privately for a number of months beforehand, thus giving the Author time to fix them with a provably low risk of affecting other Oracle functionality.
In the absence of a patch from Oracle this paper provides information on how to fix the Java related vulnerabilities in both 10g and 11g which were detailed in David’s Blackhat presentation on February 2nd 2010.More…
Related articles:
- Daily Roundup of News, Tips and Tricks for 2010-02-08
- 15 Ways Oracle Can Make Java Better (and Improve Its Stance with Developers)
- Want to Learn Java? Hear What the Father of Java Has to Say About It
