Detections
Analytics

5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on 'Non-default' Packages

Information

The packages described in this control are not granted to PUBLIC by default ('Non-default' packages). These packages should not be granted to PUBLIC.

The Oracle database DBMS_BACKUP_RESTORE package is used for applying PL/SQL commands to the native RMAN sequences.

The Oracle database DBMS_FILE_TRANSFER package allows a user to transfer files from one database server to another.

The Oracle database DBMS_SYS_SQL,DBMS_REPCAT_SQL_UTL, INITJVMAUX, DBMS_AQADM_SYS, DBMS_STREAMS_RPC, DBMS_PRVTAQIM, LTADM and DBMS_IJOB packages are shipped as undocumented.

Rationale:

As described below, these 'non-default' group of PL/SQL packages, which are not granted to PUBLIC by default, packages should not be granted to PUBLIC.

The DBMS_BACKUP_RESTORE package can allow access to OS files.

The DBMS_FILE_TRANSFER package could allow to transfer files from one database server to another without authorization to do so.

The DBMS_SYS_SQL package could allow a user to run code as a different user without entering valid credentials.

The DBMS_REPCAT_SQL_UTL package could allow an unauthorized user to run SQL commands as user SYS.

The INITJVMAUX package could allow an unauthorized user to run SQL commands as user SYS.

The DBMS_AQADM_SYS package could allow an unauthorized user to run SQL commands as user SYS.

The DBMS_STREAMS_RPC package could allow an unauthorized user to run SQL commands as user SYS.

The DBMS_PRVTAQIM package could allow an unauthorized user to escalate privileges because any SQL statements could be executed as user SYS.

The LTADM package could allow an unauthorized user to run any SQL command as user SYS. It allows privilege escalation if granted to unprivileged users.

The DBMS_IJOB package could allow an attacker to change identities by using a different username to execute a database job. It allows a user to run database jobs in the context of another user.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC;
REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_REPCAT_SQL_UTL FROM PUBLIC;
REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC;
REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC;
REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC;
REVOKE EXECUTE ON LTADM FROM PUBLIC;
REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC;
REVOKE EXECUTE ON DBMS_PDB_EXEC_SQL FROM PUBLIC;

See Also

https://workbench.cisecurity.org/benchmarks/11760

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: c90404e66fa3c48b7126f5d0199f1975c45a28be597ff3511144af45ed67c300