DBSecWorx Code Library


wwwlibrary
Home / Resources / Code Library
We have identified a number of Oracle built-ins that are critically important for creating and maintaining a secure environment. Some can be deployed to access data, some to probe their environment, some to trigger a Denial of Service attack. Others can and should be deployed to mitigate dangers and minimize the attack surface. If you are not familiar with them you cannot protect your database or your data.

While much of the basic information here is identical to that in Morgan's Library every page here at
DBSecWorx contains content and working demos specific to identifying and addressing security issues.
 
Topic Versions Updated Date Comment
Accessible By Clause 12.1 - 19.3 24-Jun-2019 Keep PL/SQL code from being executed independently rather than only as part of the application? New
Auditing   Coming Soon ?
Bind Variables   Coming Soon ?
Cross Edition Triggers   Coming Soon ?
Data Control Language (DCL) All 10-Jun-2019 DCL include the GRANT and REVOKE statements. This page is a quick security review. Updated
Data Definition Language (DDL) All 14-Jun-2019 Misuse of DDL commands can result in Denial of Service, Outages, and assist data theft. Updated
DBMS_ADVANCED_REWRITE 10.1 - 19.3 24-Jun-2019 You wrote good code, tested it thoroughly, Too bad the optimizer isn't running it. New
DBMS_ASSERT 10.2 - 19.3 27-May-2019 An essential tool tool that, properly used, puts an end to SQL Injection attacks. Updated
DBMS_AUDIT_MGMT 11.1 - 19.3 31-May-2019 API to managing database auditing, be sure you carefully monitor its use. Updated
DBMS_AUDIT_UTIL 12.2 - 19.3 09-Jun-2019 Contains functions for formatting the output to audit views. Updated
DBMS_CRYPTO 10.1 - 19.3 24-Jun-2019 The issue with this package is that the docs are incomplete and what you don't know is dangerous. New
DBMS_CRYPTO_FFI 12.1 - 19.3 Coming Soon ?
DBMS_CRYPTO_INTERNAL 12.2 - 19.3 Coming Soon ?
DBMS_CRYPTO_TOOLKIT 10.1 - 19.3 Coming Soon ?
DBMS_CRYPTO_TOOLKIT_FFI 19.3 Coming Soon ?
DBMS_CRYPTO_TOOLKIT_TYPES 12.1 - 19.3 Coming Soon ?
DBMS_FGA 9.0 - 19.3 Coming Soon ?
DBMS_LOG 12.1 - 19.3 02-Jun-2019 A built-in API for writing to the ALERT LOG and System Log. Updated
DBMS_LOGMNR ? - 19.3 Coming Soon ?
DBMS_METADATA 9.0 - 19.3 01-Jun-2019 Sometimes it is hard to choose which of the Oracle packages is the worst security compromise. Updated
DBMS_PLSQL_CODE_COVERAGE 12.2 - 19.3 Coming Soon ?
DBMS_PQ_INTERNAL 12.2 - 19.3 Coming Soon An undocumented unsupported package and we are not sure what it can do but be careful no one uses it.
DBMS_PREPROCESSOR 10.2 - 19.3 Coming Soon A partially documented package that can retrieve post-processed source code.
DBMS_PRIVILEGE_CAPTURE 12.1 - 19.3 Coming Soon ?
DBMS_PRIV_CAPTURE 12.1 - 19.3 Coming Soon ?
DBMS_PROFILER 8.1 - 19.3 Coming Soon ?
DBMS_PSWMG_IMPORT ? - 19.3 14-Jun-2019 Undocumented buy has capabilities related to importing and purging password history. Updated
DBMS_RLS 8.1.5 - 19.3 Coming Soon RLS stands for Row Level Security. You may also know it as Virtual Private Database or Fine Grained Access Control. Deploying this package should be mandatory.
DBMS_SFW_ACL_ADMIN 12.2 - 19.3 Coming Soon Access Control List for use by external Virtual Machines (VMs) and host networks.
DBMS_SQL 7.1 - 19.3 Coming Soon ?
DBMS_SQLHASH 12.1 - 19.3 Coming Soon Supported cryptographic hash function for SQL statements.
DBMS_SYS_SQL ? - 19.3 Coming Soon ?
DBMS_TRANSLATOR ? - 19.3 Coming Soon ?
DBMS_UTILITY 7.3.4 - 19.3 29-May-2019 Much of this package is essentially harmless utilities but there is danger hiding in their too.
DBMS_WARNING 10.1 - 19.3 03-Jun-2019 PL/SQL Warnings are disabled by default, they shouldn't be. This is the API for managing them.Updated
DBMS_WARNING_INTERNAL 10.1 - 19.3 14-Jun-2019 An undocumented supporting package for DBMS_WARNINGS. Updated
DBMS_XDS   Coming Soon ?
DBMS_XDS_INT   Coming Soon ?
DBMS_XSLPROCESSOR 10.1 - 19.3 27-May-2019 This package contains a vulnerability that can aide data exfiltration if not addressed. Updated
DDL Event Triggers   Coming Soon Event triggers that fire BEFORE or AFTER DDL events. They should be required in every database.
Edition Based Redefinition   Coming Soon The most valuable feature in 11.2. But with few using it DBAs do not understand the risk it hides.
Exception Handling   Coming Soon Poorly written Exception Handling can create a mask that hides bad behavior such as brute force attacks.
Fine Grained Access Control 8.1.5 - 19.3 Coming Soon ?
Fine Grained Auditing 9.0 - 19.3 Coming Soon ?
Global Temporary Tables   Coming Soon Data stored in Global Temporary Tables is protected from access by any user even SYSDBA.
Initialization Parameters All Coming Soon ?
Instead Of Triggers - Coming Soon Written on views they do precisely what the name implies ... they fire instead of what was expected behavior.
Java Functions and Procedures - Coming Soon ?
Killing Sessions - Coming Soon An essential skill all DBAs must have during a breach is knowing how to kill sessions. Learn it well.
Label Security   Coming Soon ?
LISTENER Configuration   Coming Soon ?
Lockdown Profiles   Coming Soon This single feature is important enough to justify moving to the new Container architecture.
Native Dynamic SQL 8.1.5 - 19.3 03-Jun-2019 Constructing active SQL from strings is very powerful but can also hide dangerous code Updated
Object Privileges All 26-May-2019 Some privileges have changed since version 7.3.4 but many have not and the principles are the same.
PLScope   Coming Soon ?
PL/SQL Function Security All Coming Soon ?
PL/SQL Operator Security All Coming Soon ?
PL/SQL Package Security All Coming Soon ?
PL/SQL Procedure Security All Coming Soon ?
PL/SQL Object Settings   Coming Soon ?
PL/SQL Warnings 10.1 - 19.3 03-Jun-2019 Invaluable and essentially never enabled. You should enable them in every database you have. Updated
Policy Based Auditing   Coming Soon New to Oracle 12c and above. If you are still using the legacy auditing you could be doing a lot better.
Pragma Deprecate 12.1 - 19.3 Coming Soon Used to mark a PL/SQL element as deprecated.
Private Temporary Tables 18.1 - 19.3 Coming Soon Data stored in Private Temporary Tables is protected from access by any user even SYSDBA.
Product User Profiles All Coming Soon PUPs are so old you probably don't know they exist. But "old" doesn't mean they don't have value.
Profiles 7.3.4 - 19.3 10-Jun-2019 Profiles are a powerful security tool when used correctly. Updated
Proxy Users All Coming Soon ?
Read Only Oracle Home (ROOH) 18.1 - 19.3 Coming Soon Any database deployed after version 18.1 should be leveraging this feature. Be sure you learn to use it.
Ref Cursors 7.3 - 19.3 08-Jun-2019 Constructing active SQL from strings is very powerful but can also hide dangerous code. Updated
Roles 7.3.4 - 19.3 Coming Soon ?
Row Level Security 8.1.5 - 19.3 Coming Soon See DBMS_RLS, above.
Secure Configuration Script 18.1 - 19.3 Coming Soon ?
SecureFiles   Coming Soon ?
Secure Deployment 12.1 - 19.3 Coming Soon ?
Startup Parameters All Coming Soon See initialization parameters, above
System Privileges All 26-May-2019 Some privileges have changed since version 7.3.4 but many have not and the principles are the same.
System Event Triggers   Coming Soon Event triggers that fire in response to System events. They should be required in every database.
SYS_CONTEXT Function   Coming Soon One of the most valuable functions provided by Oracle for use in Audit Trails and Event Triggers.
Transparent Data Encryption (TDE)   Coming Soon An invaluable tool for getting auditor out of your cube so you can get back to doing real work.
Unified Audit Policies   Coming Soon New to Oracle 12c and above. If you are still using the legacy auditing you could be doing a lot better.
Users All Coming Soon ?
UTL_FILE 7.3.4 - 19.3 Coming Soon This documented package can read files from disk ... including redo logs and archived redo logs.
UTL_HTTP 7.3.4 - 19.3 Coming Soon This documented package can import HTML pages and files from the internet into your database.
UTL_INADDR 8.1.7 - 19.3 Coming Soon This documented package can be used to interrogate internal and external DNS servers to identify targets.
UTL_MAIL 2002-2003 Coming Soon This documented package can, by default, send data directly from your database to anywhere.
UTL_SMTP 8.1.7 - 19.3 06-Jun-2019 This documented package can, by default, send data directly from your database to anywhere. Updated
UTL_TCP 8.1.7 - 19.3 06-Jun-2019 What the harm in making a TCP/IP connection from your database without authorization? Find out. Updated
View Security All Coming Soon ?
Virtual Private Database 8.1.5 - 19.3 Coming Soon See DBMS_RLS, above
 
DBSecWorx secures data and databases
 

 Copyright © 2019
DBSecWorx All rights reserved.
 
Privacy & Cookies Policy Privacy Shield Legal