5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Java' Packages - Java Packages

Information

As described below, Oracle Database PL/SQL 'Java' packages - DBMS_JAVA and DBMS_JAVA_TEST - provide APIs to run Java classes or grant Java packages. The user PUBLIC should not be able to execute these packages.

The Oracle database DBMS_JAVA package can run Java classes (e.g. OS commands) or grant Java privileges. The user PUBLIC should not be able to execute DBMS_JAVA.

The Oracle database DBMS_JAVA_TEST package can run Java classes (e.g. OS commands) or grant Java privileges. The user PUBLIC should not be able to execute DBMS_JAVA_TEST.

Rationale:

As described below, Oracle Database PL/SQL 'Java' packages - DBMS_JAVA and DBMS_JAVA_TEST - should not be granted to PUBLIC.

The DBMS_JAVA package could allow an attacker to run OS commands from the database.

The DBMS_JAVA_TEST package could allow an attacker to run operating system commands from the database.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;
REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;

See Also

https://workbench.cisecurity.org/benchmarks/13413