Security bug – DBMS_JAVA

Feb 9

Posted by

Until Oracle ships a patch for recently reported bug related to some DBMS packages, I decided to follow recommendation on Miladin Modrakovic blog and revoked execute privileges from the public:

revoke execute on DBMS_JVM_EXP_PERMS from public;
revoke execute on DBMS_JAVA from public;
revoke execute on DBMS_JAVA_TEST from  public;
Advertisement

Posted on 09.02.2010, in Oracle and tagged . Bookmark the permalink. 1 Comment.

  1. alesk | 10.02.2010 at 00:00

    Grants needed for export…
    Make sure you explicitly grant execute on those packages to non-DBA user running exp/imp, otherwise you’ll receive error ORA-00904, such as:

    ...
About to export specified users ...
. exporting pre-schema procedural objects and actions
. exporting foreign function library names for user DISCADMIN 
. exporting PUBLIC type synonyms
EXP-00008: ORACLE error 904 encountered
ORA-00904: : invalid identifier
EXP-00000: Export terminated unsuccessfully

    It’s reasonable to allow DBA’s to run export:

    connect / as sysdba
grant execute on DBMS_JVM_EXP_PERMS to dba;
grant execute on DBMS_JAVA to dba;
grant execute on DBMS_JAVA_TEST to dba;