Detections
Analytics
5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Network' Packages
Information
As described below, Oracle Database PL/SQL 'Network' packages - DBMS_LDAP, UTL_INADDR, UTL_TCP, UTL_MAIL, UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and type HTTPURITYPE - provide PL/SQL APIs to interact or access remote servers. The PUBLIC should not be able to execute these packages.The Oracle database DBMS_LDAP package contains functions and procedures that enable programmers to access data from LDAP servers.
The Oracle database UTL_INADDR package provides an API to retrieve host names and IP addresses of local and remote hosts.
The Oracle database UTL_TCP package can be used to read/write file to TCP sockets on the server where the Oracle instance is installed.
The Oracle database UTL_MAIL package can be used to send email from the server where the Oracle instance is installed.
The Oracle database UTL_SMTP package can be used to send email from the server where the Oracle instance is installed. The user PUBLIC should not be able to execute UTL_SMTP.
The Oracle database UTL_DBWS package can be used to read/write file to web-based applications on the server where the Oracle instance is installed. This package is not automatically installed for security reasons.
The Oracle database UTL_ORAMTS package can be used to perform HTTP requests. This could be used to send information to the outside.
The Oracle database UTL_HTTP package can be used to perform HTTP requests. This could be used to send information to the outside.
The Oracle database HTTPURITYPE object type can be used to perform HTTP requests.
Rationale:
As described below, Oracle Database PL/SQL packages - DBMS_LDAP, UTL_INADDR, UTL_TCP, UTL_MAIL, UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and type HTTPURITYPE can be used by unauthorized users to create specially crafted error messages or send information to external servers. The PUBLIC should not be able to execute these packages.
The use of the DBMS_LDAP package can be used to create specially crafted error messages or send information via DNS to the outside.
The UTL_INADDR package can be used to create specially crafted error messages or send information via DNS to the outside.
The UTL_TCP package could allow an unauthorized user to corrupt the TCP stream used to carry the protocols that communicate with the instance's external communications.
The UTL_MAIL package could allow an unauthorized user to corrupt the SMTP function to accept or generate junk mail that can result in a denial-of-service condition due to network saturation.
The UTL_SMTP package could allow an unauthorized user to corrupt the SMTP function to accept or generate junk mail that can result in a denial-of-service condition due to network saturation.
The UTL_DBWS package could allow an unauthorized user to corrupt the HTTP stream used to carry the protocols that communicate for the instance's web-based external communications.
The UTL_ORAMTS package could be used to send (sensitive) information to external websites. The use of this package should be restricted according to the needs of the organization.
The UTL_HTTP package could be used to send (sensitive) information to external websites.
The use of this package should be restricted according to the needs of the organization.
The ability to perform HTTP requests could be used to leak information from the database to an external destination.
Solution
To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC;
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;
REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;
See Also
Item Details
Category: ACCESS CONTROL
References: 800-53|AC-3, CSCv6|5.1, CSCv7|14.6
Plugin: OracleDB
Control ID: cb16b41301c481bbc708940240c6f7ead1a1eb9eb5fa67b5782bf0ff7e7bf30b