RE: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues
Date: Wed, 24 Feb 2010 12:48:43 -0500
Thanks for sharing. We follow same practice at my current client. However when upgrade is done or running catalog.ora it grants execute privileges to public again. So we have to revoke those grants once upgrade is completed.
Subject: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues Date: Wed, 24 Feb 2010 08:23:01 +0100
Oracle support just gave me following useful feedback regarding the security issues with oracle/aurora/util/Wrapper and dbms_jvm_exp_perms that I want to share with you.
One of the most important principles for securing systems is the “least privilege” principle (a.k.a. principle of “minimal privilege”). Under this principle, every process, user, etc. must be able to access only such information and resources that are necessary to achieve its intended function.
As a result, Oracle recommends that, when possible, Database Administrators should:
- revoke execute on "oracle/aurora/util/Wrapper" from public;
This will revoke the Java function that allows Database users to call operating system functions as the Oracle user. This is applicable to all Database Versions.
For Database versions 10gR2 and later:
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
- revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
The above steps will revoke the Java functions that allow Database users to set Java privileges for Database users, while granting back appropriate privileges for the Database Import/Export procedures and for the Database DataPump procedures that need them.
Note that neither "oracle/aurora/util/Wrapper" nor sys.dbms_jvm_exp_perms are described in Oracle documentation. If customers have used these undocumented and unsupported features, they may encounter regressions that can be resolved by granting back these privileges to appropriate trusted users as a temporary solution.
Read about Oracle Critical Patch Update process and Security Alerts homepage: http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle Security Vulnerability Fixing Policy is available at: http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html
Hotmail: Trusted email with Microsoft’s powerful SPAM protection. http://clk.atdmt.com/GBL/go/201469226/direct/01/ Received on Wed Feb 24 2010 - 11:48:43 CST