RE: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

  • From: Mohammad Rafiq <rafiq9857@xxxxxxxxxxx>
  • To: <dreveewee@xxxxxxxxx>, oracle list <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 24 Feb 2010 12:48:43 -0500

Andre,

 

Thanks for sharing. We follow same practice at my current client. However when 
upgrade is done or running catalog.ora it  grants execute privileges to public 
again. So we have to revoke those grants once upgrade is completed.

 

Regards

Rafiq

 

 


 


From: dreveewee@xxxxxxxxx
To: oracle-l@xxxxxxxxxxxxx
Subject: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms 
security issues
Date: Wed, 24 Feb 2010 08:23:01 +0100





Oracle support just gave me following useful feedback regarding the security 
issues with oracle/aurora/util/Wrapper and dbms_jvm_exp_perms that I want to 
share with you.
 
<quote>
Hi Andre,
 
One of the most important principles for securing systems is the “least 
privilege” principle (a.k.a. principle of “minimal privilege”). Under this 
principle, every process, user, etc. must be able to access only such 
information and resources that are necessary to achieve its intended function.
 
As a result, Oracle recommends that, when possible, Database Administrators 
should:
 
- revoke execute on "oracle/aurora/util/Wrapper" from public;
 
This will revoke the Java function that allows Database users to call operating 
system functions as the Oracle user. This is applicable to all Database 
Versions.
 
For Database versions 10gR2 and later:
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
- revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
 
The above steps will revoke the Java functions that allow Database users to set 
Java privileges for Database users, while granting back appropriate privileges 
for the Database Import/Export procedures and for the Database DataPump 
procedures that need them. 
 
Note that neither "oracle/aurora/util/Wrapper" nor sys.dbms_jvm_exp_perms are 
described in Oracle documentation. If customers have used these undocumented 
and unsupported features, they may encounter regressions that can be resolved 
by granting back these privileges to appropriate trusted users as a temporary 
solution.
 
Read about Oracle Critical Patch Update process and Security Alerts homepage:
http://www.oracle.com/technology/deploy/security/alerts.htm 
 
Oracle Security Vulnerability Fixing Policy is available at:
http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html
 
..
</quote>
 
Andre
                                          
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/201469226/direct/01/

Other related posts: