5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'SQL Injection Helper' Packages - SQL Injection Helper Packages

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

Information

As described below, Oracle Database PL/SQL 'SQL Injection Helper Packages' packages - DBMS_SQL, DBMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and DBMS_REDACT - provide APIs to schedule jobs. The user PUBLIC should not be able to execute these packages.

The Oracle database DBMS_SQL package is used for running dynamic SQL statements.

The DBMS_XMLGEN package takes an arbitrary SQL query as input, converts it to XML format, and returns the result as a CLOB.

The Oracle package DBMS_XMLQUERY takes an arbitrary SQL query, converts it to XML format, and returns the result. This package is similar to DBMS_XMLGEN.

The DBMS_XLMSTORE package provides XML functionality. It accepts a table name and XML as input to perform DML operations against the table.

The DBMS_XLMSAVE package provides XML functionality. It accepts a table name and XML as input and then inserts into or updates that table.

The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.

Rationale:

As described below, Oracle Database PL/SQL 'SQL Injection Helper Packages' packages - DBMS_SQL, DBMS_XMLGEN, DBMS_XMLQUERY, DBMS_XLMSTORE, DBMS_XLMSAVE and 'DBMS_REDACT' - should not be granted to PUBLIC.

The DBMS_SQL package could allow privilege escalation if input validation is not done properly.

The package DBMS_XMLGEN can be used to search the entire database for sensitive information like credit card numbers

The package DBMS_XMLQUERY can be used to search the entire database for sensitive information like credit card numbers. Malicious users may be able to exploit this package as an auxiliary inject function in a SQL injection attack.

Malicious users may be able to exploit the DBMS_XLMSTORE package as an auxiliary inject function in a SQL injection attack.

Malicious users may be able to exploit the DBMS_XLMSAVE package as an auxiliary inject function in a SQL injection attack.

Malicious users may be able to exploit DBMS_REDACT as an auxiliary inject function in a SQL injection attack.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC;
REVOKE EXECUTE ON DBMS_AW FROM PUBLIC;
REVOKE EXECUTE ON OWA_UTIL FROM PUBLIC;
REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;

Item Details

Audit Name: CIS Oracle Server 19c DB Unified Auditing v1.1.0

References: CSCv7|14.6

Plugin: OracleDB

Control ID: 8be3ff5675c60b7d9bfe0484c9bdb69b02692268fed2a1bfb84c975ee279d5b5

Detections

Analytics

5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on 'SQL Injection Helper' Packages - SQL Injection Helper Packages

Warning! Audit Deprecated

Information

Solution

See Also

Item Details