Oracle DBMS_DEBUG_JDWP Built-In Package
Versions 9.0 - 21c

Security Advisory
Allows a session to connect to a debugger using the JDWP protocol. We have decided to include this undocumented unsupported package in the Code Library because it is the type of functionality that a database administrator focusing on security needs to be aware of: Even if this specific package is not a high risk.

What you want to pay attention to is that it contains objects with names like CONNECT_TCP and PROCESS_CONNECT_STRING. If something can be used to make a TCP/IP connection from inside a database it must be immediately considered suspect of misuse.
 
Recommended Security Rules

 NEVER
  • Accept Oracle's default grant of EXECUTE to PUBLIC for this package
 WITH GREAT CARE
  • Verify in a pre-production environment that code/applications that will be hosted do not require EXECUTE
  • If any code/application requires EXECUTE grant EXECUTE explicitly and document the change
  • Revoke EXECUTE from PUBLIC
 CAUTIONS
  • When improving security by revoking default grants such as EXECUTE to PUBLIC be sure to add them to your testing when upgrading to newer versions or upgrading the application(s) deployed and utilizing the database.
 
How Oracle Works
How Oracle imagined this package would be used Run the following 2 queries in all of your database environments, even non-Oracle.

col owner format a15
col object_type format a15
col object_name format a55

SELECT owner, object_type, object_name
FROM dba_objects
WHERE object_name LIKE '%TCP%'
ORDER BY 1,2,3;

OWNER           OBJECT_TYPE     OBJECT_NAME
--------------- --------------- -------------------------------------------------------
PUBLIC          SYNONYM         UTL_TCP
SYS             JAVA CLASS      com/sun/corba/se/impl/transport/ReadTCPTimeoutsImpl
SYS             JAVA CLASS      com/sun/corba/se/spi/activation/TCPPortHelper
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPChannel
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPChannel$1
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPConnection
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPEndpoint
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPEndpoint$FQDN
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPTransport
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPTransport$1
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPTransport$AcceptLoop
SYS             JAVA CLASS      sun/rmi/transport/tcp/TCPTransport$ConnectionHandler
SYS             JAVA CLASS      sun/security/krb5/internal/TCPClient
SYS             LIBRARY         UTL_TCP_LIB
SYS             PACKAGE         UTL_TCP
SYS             PACKAGE BODY    UTL_TCP

col object_name format a20

SELECT owner, object_name, procedure_name
FROM dba_procedures
WHERE procedure_name LIKE '%TCP%'
ORDER BY 1,2,3;

OWNER           OBJECT_NAME          PROCEDURE_NAME
--------------- -------------------- ------------------------------
MDSYS           SEM_RDFCTX_DR        PROCESS_TCP_REQUEST
SYS             DBMS_ASH             GETCPUINFO
SYS             DBMS_DEBUG_JDWP      CONNECT_TCP

Note: dbms_ash.getcpuinfo does not perform TCP/IP

If it touches TCP/IP you need to document who has access and the justification for that access.
 
DBMS_DEBUG_JDWP Package Information
AUTHID CURRENT_USER
Constants
Name Data Type Value
connect_defer_suspension PLS_INTEGER 1
connect_force_connect PLS_INTEGER 2
connect_string_environment_var PLS_INTEGER 1
connect_string_cookie PLS_INTEGER 2
Dependencies
DBMS_DEBUG_JDWP_CUSTOM DBMS_ISCHEDFW DBMS_SQL_MONITOR
Documented in Types & Packages No
Exceptions
Error Code Reason
ORA-00022 Attempted to disconnect a session other than self
ORA-01031 User does not have the DEBUG CONNECT SESSION and DEBUG ANY PROCEDURE privileges
ORA-30677 The requested session is already being debugged
ORA-30681 Improper argument was provided for a call to CONNECT_TCP
ORA-30682 Improper value for CONNECT_TCP parameter
ORA-30683 Failed to establish a debugger connection
First Available 9.0
Security Model Owed by SYS with EXECUTE granted to PUBLIC
Source {ORACLE_HOME}/rdbms/admin/dbmsjdwp.sql
Subprograms
CONNECT_TCP DISCONNECT PROCESS_CONNECT_STRING
CURRENT_SESSION_ID GET_NLS_PARAMETER SET_NLS_PARAMETER
CURRENT_SESSION_SERIAL    
 
CONNECT_TCP
Connect the specified session to the debugger waiting at host:port

This demo performs added security checks to decide if the debug connection request is granted (for example, by verifying that the debugger is running on a trusted host)

Note: In 11gR1, and thereafter, an ACL must be created for this call to succeed (see link below)		 dbms_debug_jdwp.connect_tcp(
host               IN VARCHAR2,
port               IN VARCHAR2,
session_id         IN PLS_INTEGER := NULL,
session_serial     IN PLS_INTEGER := NULL,
debug_role         IN VARCHAR2    := NULL,
debug_role_pwd     IN VARCHAR2    := NULL,
option_flags       IN PLS_INTEGER := 0,
extensions_cmd_set IN PLS_INTEGER := 128);
DECLARE
 vhost VARCHAR2(40) := 'bigdog.mlib.org';
 vport VARCHAR2(10) := '1521';
BEGIN
  IF (utl_inaddr.get_host_address(vhost) != '119.168.1.119') THEN
    RAISE_APPLICATION_ERROR(-20000, 'debug connection to this host not permitted');
  ELSE
    dbms_debug_jdwp.connect_tcp(vhost, vport);
  END IF;
  dbms_debug_jdwp.disconnect;
END;
/
 
CURRENT_SESSION_ID
Returns the current session identifier dbms_debug_jdwp.current_session_id RETURN PLS_INTEGER;
SELECT dbms_debug_jdwp.current_session_id
FROM dual;
 
CURRENT_SESSION_SERIAL
Returns the current session serial number dbms_debug_jdwp.current_session_serial RETURN PLS_INTEGER;
SELECT dbms_debug_jdwp.current_session_serial
FROM dual;
 
DISCONNECT
A session cannot yet disconnect another session from a debugger; it can only connect or disconnect itself dbms_debug_jdwp.disconnect(
session_id     IN PLS_INTEGER := NULL,
session_serial IN PLS_INTEGER := NULL);
See CONNECT_TCP Demo Above
 
GET_NLS_PARAMETER
Sets the value of the specified NLS parameter affecting the format in which NUMBER, DATE, TIME (WITH TIME ZONE) and TIMESTAMP (WITH TIME ZONE) dbms_debug_jdwp.get_nls_parameter(name IN VARCHAR2)
RETURN VARCHAR2;
desc nls_session_parameters

SELECT * FROM nls_session_parameters;

SELECT dbms_debug_jdwp.get_nls_parameter('NLS_TIMESTAMP_FORMAT')
FROM dual;

execdbms_debug_jdwp.set_nls_parameter('NLS_TIMESTAMP_FORMAT','DD-MON-YYYY HH.MI.SSXFF AM');

SELECT dbms_debug_jdwp.get_nls_parameter('NLS_TIMESTAMP_FORMAT')
FROM dual;
 
PROCESS_CONNECT_STRING
Allows a session to connect to a debugger through the use of either the ORA_DEBUG_JDWP operating system environment variable when running an OCI program, or a web browser "cookie" called OWA_DEBUG_<dad> set when running an application through the PL/SQL Web Gateway dbms_debug_jdwp.process_connect_string(
connect_string      IN VARCHAR2,
connect_string_type IN PLS_INTEGER);
TBD
 
SET_NLS_PARAMETER
Sets the value of the specified NLS parameter affecting the format in which NUMBER, DATE, TIME (WITH TIME ZONE) and TIMESTAMP (WITH TIME ZONE) dbms_debug_jdwp.set_nls_parameter(
name  IN VARCHAR2,
value IN VARCHAR2);
See GET_NLS_PARAMETER Demo Above

Related Topics
DBMS_DEBUG
DBMS_DEBUG_JDWP_CUSTOM
DBMS_NETWORK_ACL_ADMIN
DBMS_NETWORK_ACL_UTILITY
SYS_CONTEXT