5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'Encryption' Packages

Information

As described below, Oracle Database PL/SQL 'Encryption' packages - DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM - provide PL/SQL APIs to perform functions related to cryptography. The PUBLIC should not be able to execute these packages.

The DBMS_CRYPTO settings provide a toolset that determines the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key), 3DES (168-bit key), 3DES-2KEY (112-bit key), AES (128/192/256-bit keys), and RC4 are available.

The DBMS_OBFUSCATION_TOOLKIT provides one of the tools that determine the strength of the encryption algorithm used to encrypt application data and is part of the SYS schema. The DES (56-bit key) and 3DES (168-bit key) are the only two types available.

The Oracle database DBMS_RANDOM package is used for generating random numbers but should not be used for cryptographic purposes.

Rationale:

As described below, Oracle Database PL/SQL Encryption packages - DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM - should not be granted to PUBLIC.

Execution of the DBMS_CRYPTO procedures by the PUBLIC can potentially endanger portions of or all of the data storage.

Allowing the PUBLIC privileges to access this capability can be potentially harm data storage.

Use of the DBMS_RANDOM package can allow the unauthorized application of the random number-generating function.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;
REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;

See Also

https://workbench.cisecurity.org/files/2741