6.1.4 Ensure 'CREATE EXTERNAL JOB' Is Revoked From Unauthorized 'GRANTEE'

Information

The CREATE EXTERNAL JOB privilege in Oracle allows a user to create external jobs that run at the OS level using Oracle Scheduler.

If this privilege is granted to unauthorized users, it can lead to privilege escalation, system compromise, and security risks. It allows unauthorized users to perform actions like modifying system files, executing scripts, or starting/stopping services.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke. Please ensure proper impact analysis is done before revoking the privilege from a role.

REVOKE CREATE EXTERNAL JOB FROM <grantee>;

In the case of a grant via a role:

REVOKE <rolename> FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/16474