5.2.14 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'

Information

The Oracle database GRANT ANY OBJECT PRIVILEGE keyword provides the grantee the capability to grant access to any single or multiple combinations of objects to any grantee in the catalog of the database. Unauthorized grantees should not have that keyword assigned to them.

The GRANT ANY OBJECT PRIVILEGE capability can allow an unauthorized user to potentially access or change confidential data, or damage the data catalog due to potential complete instance access.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.

REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;

See Also

https://workbench.cisecurity.org/benchmarks/11760

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: 1677b23ec3968b0a577a170e7a290dd15290d5be306662b274349bcade4c41be