mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

Oracle support just gave me following useful feedback regarding the security
issues with oracle/aurora/util/Wrapper and dbms_jvm_exp_perms that I want to
share with you.

 

<quote>

Hi Andre,

 

One of the most important principles for securing systems is the "least
privilege" principle (a.k.a. principle of "minimal privilege"). Under this
principle, every process, user, etc. must be able to access only such
information and resources that are necessary to achieve its intended
function.

 

As a result, Oracle recommends that, when possible, Database Administrators
should:

 

- revoke execute on "oracle/aurora/util/Wrapper" from public;

 

This will revoke the Java function that allows Database users to call
operating system functions as the Oracle user. This is applicable to all
Database Versions.

 

For Database versions 10gR2 and later:

- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;

- grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;

- revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

 

The above steps will revoke the Java functions that allow Database users to
set Java privileges for Database users, while granting back appropriate
privileges for the Database Import/Export procedures and for the Database
DataPump procedures that need them. 

 

Note that neither "oracle/aurora/util/Wrapper" nor sys.dbms_jvm_exp_perms
are described in Oracle documentation. If customers have used these
undocumented and unsupported features, they may encounter regressions that
can be resolved by granting back these privileges to appropriate trusted
users as a temporary solution.

 

Read about Oracle Critical Patch Update process and Security Alerts
homepage:

http://www.oracle.com/technology/deploy/security/alerts.htm 

 

Oracle Security Vulnerability Fixing Policy is available at:

http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

 

..

</quote>

 

Andre

 

Other related posts: