Securing Java in Oracle

New Oracle Java security research was published at the February 2010 Blackhat DC conference, by David Litchfield, which shows how to escalate privilege from the lowest CREATE SESSION privilege to DBA via the DBMS JVM EXP PERMS package associated with the Aurora JVM built into the Oracle DB. In the absence of a patch from Oracle this paper provides information on how to fix these vulnerabilities which occur in both 10g and 11g. Crucially this paper shows how to test the fixes required to secure Java privileges in Oracle, so that the availability of production applications can be shown to be unaffected by those security fixes.