RE: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

  • From: Mohammad Rafiq <rafiq9857@xxxxxxxxxxx>
  • To: <dreveewee@xxxxxxxxx>, oracle list <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 24 Feb 2010 12:48:43 -0500



Thanks for sharing. We follow same practice at my current client. However when 
upgrade is done or running catalog.ora it  grants execute privileges to public 
again. So we have to revoke those grants once upgrade is completed.







From: dreveewee@xxxxxxxxx
To: oracle-l@xxxxxxxxxxxxx
Subject: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms 
security issues
Date: Wed, 24 Feb 2010 08:23:01 +0100

Oracle support just gave me following useful feedback regarding the security 
issues with oracle/aurora/util/Wrapper and dbms_jvm_exp_perms that I want to 
share with you.
Hi Andre,
One of the most important principles for securing systems is the “least 
privilege” principle (a.k.a. principle of “minimal privilege”). Under this 
principle, every process, user, etc. must be able to access only such 
information and resources that are necessary to achieve its intended function.
As a result, Oracle recommends that, when possible, Database Administrators 
- revoke execute on "oracle/aurora/util/Wrapper" from public;
This will revoke the Java function that allows Database users to call operating 
system functions as the Oracle user. This is applicable to all Database 
For Database versions 10gR2 and later:
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
- revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
The above steps will revoke the Java functions that allow Database users to set 
Java privileges for Database users, while granting back appropriate privileges 
for the Database Import/Export procedures and for the Database DataPump 
procedures that need them. 
Note that neither "oracle/aurora/util/Wrapper" nor sys.dbms_jvm_exp_perms are 
described in Oracle documentation. If customers have used these undocumented 
and unsupported features, they may encounter regressions that can be resolved 
by granting back these privileges to appropriate trusted users as a temporary 
Read about Oracle Critical Patch Update process and Security Alerts homepage: 
Oracle Security Vulnerability Fixing Policy is available at:
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.

Other related posts: