| CVE ID | CVE-2010-2419 |
| CVSS SCORE | 9.0, AV:N/AC:L/Au:S/C:C/I:C/A:C |
| AFFECTED VENDORS |
Oracle |
| AFFECTED PRODUCTS |
Database Server |
| VULNERABILITY DETAILS |
This vulnerability allows remote attackers to break out of the Java Sandbox implemented by Oracle's relational database. Authentication is required in that a user must be able to create a Java stored procedure to trigger the issue. The specific flaw exists within Oracle's custom SecurityManager implementation. Due to the implementation's dependence on a flag of a particular object to determine success or failure of a privileged call, a race condition exists which will allow one to execute Java code bypassing the sandbox. Successful exploitation will allow an attacker to execute arbitrary code in the context of the server. |
| ADDITIONAL DETAILS |
Oracle has issued an update to correct this vulnerability. More details can be found at:
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html |
| DISCLOSURE TIMELINE |
|
| CREDIT | Sami Koivu |
