DBSecWorx Code Library


wwwlibrary
Home / Resources / Code Library
We have identified a number of Oracle built-ins that are critically important when creating and maintaining a secure environment. Some can be deployed to access data, some to probe their environment, some to trigger a Denial-of-Service attack. Others can and should be deployed to mitigate dangers and minimize the attack surface. If you are not familiar with them you cannot protect your database and your data.

While much of the basic information here is identical to that in Morgan's Library every page here at
DBSecWorx contains content and working demos specific to identifying and addressing security issues.
 
Topic Versions Updated Date Comment
Accessible By Clause 12.1 - 19c 24-Jun-2019 Keep PL/SQL code from being executed independently rather than only as part of the application?
Data Control Language (DCL) All 10-Jun-2019 DCL include the GRANT and REVOKE statements. This page is a quick security review.
Data Definition Language (DDL) All 14-Jun-2019 Misuse of DDL commands can result in Denial of Service, Outages, and assist data theft.
Database Vault All 01-Dec-2019 Database Vault is a valuable tool but it also has at least one major weakness: Learn about it now.
DBMS_ADVANCED_REWRITE 10.1 - 19c 24-Jun-2019 You wrote good code, tested it thoroughly, Too bad the optimizer isn't running it.
DBMS_ASSERT 10.2 - 19c 27-May-2019 An essential tool tool that, properly used, puts an end to SQL Injection attacks.
DBMS_AUDIT_MGMT 11.1 - 19c 31-May-2019 API to managing database auditing, be sure you carefully monitor its use.
DBMS_AUDIT_UTIL 12.2 - 19c 09-Jun-2019 Contains functions for formatting the output to audit views.
DBMS_CRYPTO 10.1 - 19c 24-Jun-2019 The issue with this package is that the docs are incomplete and what you don't know is dangerous.
DBMS_CRYPTO_FFI 12.1 - 19c 25-Jun-2019 There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO.
DBMS_CRYPTO_INTERNAL 12.2 - 19c 07-Jul-2019 There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO.
DBMS_CRYPTO_TOOLKIT 10.1 - 19c 16-Nov-2019 There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO.
DBMS_CRYPTO_TOOLKIT_FFI 19.1 - 19c 16-Nov-2019 There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO.
DBMS_CRYPTO_TOOLKIT_TYPES 12.1 - 19c 16-Nov-2019 There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO.
DBMS_DEBUG_JDWP 9.0 - 19c 30-Nov-2019 Connects/disconnects debug using the jdwp protocol. Note that this package requires a database ACL.
DBMS_FGA 9.0 - 19c 26-Nov-2019 If you are not using DBMS_FGA you are most likely not in compliance with HIPAA or "best" practices.
DBMS_LOG 12.1 - 19c 12-Jul-2019 A built-in API for writing to the ALERT and/or System logs.
DBMS_LOGMNR 8.1.5 - 19c 08-Jul-2019 Every database, relational/non-relational has a transaction log. the more you learn the safer you are.
DBMS_METADATA 9.0 - 19c 01-Jun-2019 Sometimes it is hard to choose which of the Oracle packages is the worst security compromise.
DBMS_NETWORK_ACL_ADMIN 10.1 - 19c 29-Nov-2019 Defines and administers network Access Control Lists a critical part of creating a secure DBMS environment.
DBMS_NETWORK_ACL_UTILITY 11.1 - 19c 26-Nov-2019 Utility functions that facilitate managing network access permissions.
DBMS_PQ_INTERNAL 12.2 - 19c 08-Jul-2019 An undocumented unsupported package and we are not sure what it can do so be sure n one uses it.
DBMS_PREPROCESSOR 10.2 - 19c 02-Dec-2019 A partially documented package that can retrieve post-processed source code.
DBMS_PRIVILEGE_CAPTURE 12.1 - 19c 11-Jul-2019 Knowing who has what privileges can assist or thwart an attack.
DBMS_PRIV_CAPTURE 12.1 - 19c 18-Dec-2019 Capture privileges used in Oracle defined PL/SQL packages. Valuable information for an attack.
DBMS_PROFILER 8.1 - 19c 18-Dec-2019 Read this much in the docs: "Provides an interface to PL/SQL application code" to anticipate an issue.
DBMS_PSWMG_IMPORT N/A - 19c 14-Jun-2019 Undocumented buy has capabilities related to importing and purging password history.
DBMS_SFW_ACL_ADMIN 12.2-19c 13-Nov-2019 APIs to administer service Access Control List for Exadata and ExaCC Virtual Machines (VMs).
DBMS_SQLDIAG 11.1-19c 27-Jul-2019 How could SQL Diagnostics be an issue? In many many ways.
DBMS_SQLHASH 12.1 - 19c 14-Nov-2019 Supported cryptographic hash function for SQL statements.
DBMS_SQLQ 19c 28-Jun-2019 New functionality in 19c and again Oracle grants execute to PUBLIC: An easy Denial of Service Attack.
DBMS_SQL_TRANSLATOR 12.1 - 19c 15-Dec-2019 You wrote good code and tested it thoroughly, Too bad the optimizer is trashing the database when it runs.
DBMS_SQL_TRANSLATOR_EXPORT 12.1 - 19c 21-Dec-2019 This internal support utility has EXECUTE granted to PUBLIC: And it is more frightening than that.
DBMS_SUPPORT 7.2 - 19c 01-Jan-2020 Tracing reveals information that is of value to attackers.
DBMS_TRACE 8.1.5 - 19c 01-Jan-2020 Tracing reveals information that is of value to attackers.
DBMS_UTILITY 7.3.4 - 19c 29-May-2019 Much of this package is essentially harmless utilities but there is danger hiding in their too.
DBMS_WARNING 10.1 - 19c 03-Jun-2019 PL/SQL Warnings are disabled by default, they shouldn't be. This is the API for managing them.
DBMS_WARNING_INTERNAL 10.1 - 19c 14-Jun-2019 An undocumented supporting package for DBMS_WARNING.
DBMS_XDS 18.1 - 19c 12-Nov-2019 An undocumented supporting package for Oracle Advanced Security.
DBMS_XDS_INT 18.1 - 19c 12-Nov-2019 An undocumented supporting package for Oracle Advanced Security.
DBMS_XMLQUERY 9.2 - 19c 08-Mar-2020 The overloaded NEWCONTEXT function has been used for exploits first demonstrated at Defcon 2011
DBMS_XSLPROCESSOR 10.1 - 19c 27-May-2019 This package contains a vulnerability that can aide data exfiltration if not addressed.
DBMS_XS_PRINCIPALS 12.1 - 19c In Development TBD
DBMS_XS_SESSIONS 12.1 - 19c 27-Dec-2019 Another RAS package with EXECUTE granted to PUBLIC. Learn how to protect your database from it.
DBMS_XS_SESSIONS_FFI 12.1 - 19c In Development TBD
Feature Usage 11.2 - 20c 25-May-2020 This page is a review of the security-focused Feature Usage procs
Fine Grained Auditing 9.0 - 19c 26-Nov-2019 If you are not using DBMS_FGA you are most likely not in compliance with HIPAA or "best" practices.
Fine Grained Data Security 18c - 20c 26-Mar-2020 One way to minimize the risk of becoming the next Experian
FIPS 140 18c - 19c 09-Nov-2019 FIPS-140 is the US Federal Information Processing computer security standard: Don't leave home without it.
Killing Sessions All 02-Dec-2019 An essential skill all DBAs must have during a breach is knowing how to kill sessions. Learn it well.
LBAC_CACHE 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_EVENTS 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_EXP 12.2 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_LGSTNDBY_UTIL 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_POLICY_ADMIN 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_PRIVS 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_RLS 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_SERVICES 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_SESSION 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_STANDARD 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC_SYSDBA 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package one of its components.
LBAC_UTL 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC$SA 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
LBAC$SA_LABELS 10.1 - 20c 19-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
Lockdown Profiles 12.2 - 19c 03-Jul-2019 This single feature is important enough to justify moving to the new Container architecture.
Native Dynamic SQL 8.1.5 - 20c 19-Mar-2020 Constructing active SQL from strings is very powerful but can also hide dangerous code.
NO AUTHENTICATION All 11-Dec-2019 Any user, human or mechid, that is not a proxy user account is an unnecessary security risk.
Object Privileges All 26-May-2019 Some privileges have changed since version 7.3.4 but most have not and the principles are the same.
OLS$DATAPUMP 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
OLS_DIP_NTFY 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
OLS_ENFORCEMENT 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
OLS_UTIL_WRAPPER 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
Oracle Label Security 10.2 - 19c 14-May-2020 Label security is vastly underappreciated by Oracle's customers. Here is a key to its components
ORAPWD Utility All 18-Jan-2020 Oracle Password Utility
OWM_ASSERT_PKG 12.2 - 19c 14-Jul-2019 OWM stands for Oracle Wallet Manager ..."ASSERT" indicates a risk of SQL Injection attack.
PL/SQL Warnings 10.1 - 19c 03-Jun-2019 Invaluable and essentially never enabled. You should enable them in every database you have.
Profiles All 10-Jun-2019 Profiles are a powerful security tool when used correctly.
Proxy Users All 11-Dec-2019 Any user, human or mechid, that is not a proxy user account is an unnecessary security risk.
Real Application Security 12.1 - 19c 18-Jan-2020 A single point of access to all of our RAS related monographs.
Real Application Security Privileges 12.1 - 19c 29-Dec-2019 A review under development of RAS Privileges and what little we know about them: Which is very little.
Recycle Bin 10.1 - 20c 19-Mar-2020 Dropping a table does not mean that your data is gone.
Ref Cursors 7.3 - 20c 19-Mar-2020 Constructing active SQL from strings is very powerful but can also hide dangerous code.
SA_AUDIT_ADMIN 12.1 - 20c 20-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
SA_COMPONENTS 12.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
SA_LABEL_ADMIN 12.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
SA_POLICY_ADMIN 12.1 - 20c 19-May-2020 This object is a PUBLIC SYNONYM for LBAC_POLICY_ADMIN
SA_SESSION 12.1 - 20c 20-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
SA_SYSDBA 12.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
SA_USER_ADMIN 12.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
SA_UTL 12.1 - 20c 21-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
Secure Configuration 12.1 - 20c 25-Oct-2019 Oracle added a new Secure Configuration script as of 12cR1: Understand what it does and when it is run.
Security "Best Practices" All 26-Dec-2019 Our guide, still in development, as to what you should be focusing on to protect your data and databases.
Startup Parameters All 09-Apr-2020 Many startup (initialization) parameters impact database security.
System Privileges All 26-May-2019 Some privileges have changed since version 7.3.4 but many have not and the principles are the same.
SYS_CONTEXT Functions 9.2 - 19c 19-May-2020 Valuable functions that should be incorporated into auditing, exception handling, and logging.
TO_LABEL_LIST 10.1 - 20c 18-May-2020 Label security is vastly underappreciated by Oracle's customers: This package is one of its components.
Users All 11-Dec-2019 Any user, human or mechid, that is not a proxy user account is an unnecessary security risk.
UTL_ENCODE 9.0.1 - 19c 01-Dec-2019 Functions that encode data into a standard encoded format: Perfect for a substitution attack.
UTL_FILE 7.3.4 - 19c 13-Dec-2019 This documented package can read and writes files to and from file system with the privileges of "oracle".
UTL_HTTP 7.3.4 - 19c 14-Dec-2019 What could possibly create an issue downloading internet content directly into an Oracle database?
UTL_INADDR Exploit 8.1.7 - 19c 18-Nov-2019 This documented package can be used to interrogate internal and external DNS servers to identify targets.
UTL_I18N 10.1 - 19c 01-Dec-2019 Intended to support globalization but can also support substitution attacks.
UTL_MAIL 2002 - 19c 16-Dec-2019 This documented package can send data directly from your database to anywhere.
UTL_MAIL_INTERNAL 2002 - 19c 15-Dec-2019 There are no known issues specific to this package but rather risks associated with UTL_MAIL.
UTL_RAW 7.3 - 19c 17-Nov-2019 Valuable functions that should be incorporated into auditing, exception handling, and logging.
UTL_SMTP 8.1.7 - 19c 06-Jun-2019 This documented package can, by default, send data directly from your database to anywhere.
UTL_TCP 8.1.7 - 19c 06-Jun-2019 What the harm in making a TCP/IP connection from your database without authorization? Find out.
XS_ACL 11.2 - 19c 26-Dec-2019 A poorly documented piece of Real Application Security: Protect yourself from it.
XS_ACL_INT 11.2 - 19c 02-Jan-2020 Other than missing an ACCESSIBLE BY clause this should not be a cause for major concern.
XS_ADMIN_INT 12.1 - 19c 02-Jan-2020 Other than missing an ACCESSIBLE BY clause this should not be a cause for major concern.
XS_ADMIN_UTIL 12.1 - 19c 29-Dec-2019 Ready for a package that grants security privileges and has EXECUTE granted to PUBLIC? We aren't.
XS_ADMIN_UTL_INT 12.1 - 19c In Development TBD
XS_DATA_SECURITY 12.1 - 19c In Development TBD
S_DATA_SECURITY_INT 12.1 - 19c In Development TBD
XS_DATA_SECURITY_UTIL 12.1 - 19c 18-Jan-2020 Part of RAS that can be used to schedule automatic refreshment for static ACL
XS_DATA_SECURITY_UTIL_INT 12.1 - 19c In Development TBD
XS_DIAG 12.1 - 19c In Development TBD
XS_DIAG_INT 12.1 - 19c In Development TBD
XS_MTCACHE_INT 12.1 - 19c In Development TBD
XS_NAMESPACE 12.1 - 19c In Development TBD
XS_NAMESPACE_INT 12.1 - 19c In Development TBD
XS_PRINCIPAL 12.1 - 19c In Development TBD
XS_PRINCIPAL_INT 12.1 - 19c In Development TBD
XS_ROLESET 12.1 - 19c In Development TBD
XS_ROLESET_INT 12.1 - 19c In Development TBD
XS_SECURITY_CLASS 12.1 - 19c In Development TBD
XS_SECURITY_CLASS_INT 12.1 - 19c In Development TBD
 
DBSecWorx secures data and databases
 

 Copyright © 2019-2020
DBSecWorx All rights reserved.
 
Privacy & Cookies Policy Privacy Shield Legal