Re: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

From: David Litchfield <david_at_databasesecurity.com>
Date: Wed, 24 Feb 2010 11:53:58 -0000
Message-ID: <759BFED21C6D48F386F4DA4DF895641C_at_HEDGEHOG>

Hi Andre,
You should also revoke execute from PUBLIC on DBMS_JAVA, too, and grant execute to only those that require it. The SET_OUTPUT_TO_JAVA function can be used to run arbitrary SQL as SYS. Please see http://www.databasesecurity.com/HackingAurora.pdf for more details. On a side note, I'm glad that Oracle recognize that the principle of least privilege is important. Would be nice now if they act on this, and deliver a product which has a much tighter set of default privileges. Cheers,
David

Original Message ----- From: Andre van Winssen To: 'Oracle-L Group' Sent: Wednesday, February 24, 2010 7:23 AM Subject: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

Oracle support just gave me following useful feedback regarding the security issues with oracle/aurora/util/Wrapper and dbms_jvm_exp_perms that I want to share with you.

<quote>

Hi Andre,

One of the most important principles for securing systems is the "least privilege" principle (a.k.a. principle of "minimal privilege"). Under this principle, every process, user, etc. must be able to access only such information and resources that are necessary to achieve its intended function.

As a result, Oracle recommends that, when possible, Database Administrators should:

revoke execute on "oracle/aurora/util/Wrapper" from public;

This will revoke the Java function that allows Database users to call operating system functions as the Oracle user. This is applicable to all Database Versions.

For Database versions 10gR2 and later:

grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

The above steps will revoke the Java functions that allow Database users to set Java privileges for Database users, while granting back appropriate privileges for the Database Import/Export procedures and for the Database DataPump procedures that need them.

Note that neither "oracle/aurora/util/Wrapper" nor sys.dbms_jvm_exp_perms are described in Oracle documentation. If customers have used these undocumented and unsupported features, they may encounter regressions that can be resolved by granting back these privileges to appropriate trusted users as a temporary solution.

Read about Oracle Critical Patch Update process and Security Alerts homepage:

http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle Security Vulnerability Fixing Policy is available at:

http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html

</quote>

Andre

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Feb 24 2010 - 05:53:58 CST

This message: [ Message body ]
Next message: Guillermo Alan Bort: "Re: Oracle RAC on Win vs. Oracle on Linux"
Previous message: Gints Plivna: "Re: MOS down again"
In reply to: Andre van Winssen: "mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues"
Next in thread: Allen, Brandon: "RE: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues"
Reply: Allen, Brandon: "RE: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message