5.2.15 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database GRANT ANY ROLE keyword provides the grantee the capability to grant any single role to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.

Rationale:

The GRANT ANY ROLE capability can allow an unauthorized user to potentially access or change confidential data or damage the data catalog due to potential complete instance access.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE GRANT ANY ROLE FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/13413