5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'SQL Injection Helper' Packages

Information

As described below, Oracle Database PL/SQL 'SQL Injection Helper Packages' packages - DBMS_SQL, DBMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and DBMS_REDACT - provide APIs to schedule jobs. The user PUBLIC should not be able to execute these packages.

The Oracle database DBMS_SQL package is used for running dynamic SQL statements.

The DBMS_XMLGEN package takes an arbitrary SQL query as input, converts it to XML format, and returns the result as a CLOB.

The Oracle package DBMS_XMLQUERY takes an arbitrary SQL query, converts it to XML format, and returns the result. This package is similar to DBMS_XMLGEN.

The DBMS_XLMSTORE package provides XML functionality. It accepts a table name and XML as input to perform DML operations against the table.

The DBMS_XLMSAVE package provides XML functionality. It accepts a table name and XML as input and then inserts into or updates that table.

The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.

Rationale:

As described below, Oracle Database PL/SQL 'SQL Injection Helper Packages' packages - DBMS_SQL, DBMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and 'DBMS_REDACT' - should not be granted to PUBLIC.

The DBMS_SQL package could allow privilege escalation if input validation is not done properly.

The package DBMS_XMLGEN can be used to search the entire database for sensitive information like credit card numbers

The package DBMS_XMLQUERY can be used to search the entire database for sensitive information like credit card numbers. Malicious users may be able to exploit this package as an auxiliary inject function in a SQL injection attack.

Malicious users may be able to exploit the DBMS_XLMSTORE package as an auxiliary inject function in a SQL injection attack.

Malicious users may be able to exploit the DBMS_XLMSAVE package as an auxiliary inject function in a SQL injection attack.

Malicious users may be able to exploit DBMS_REDACT as an auxiliary inject function in a SQL injection attack.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AW FROM PUBLIC;
REVOKE EXECUTE ON OWA_UTIL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;

See Also

https://workbench.cisecurity.org/files/2741