Security bug – DBMS_JAVA

Until Oracle ships a patch for recently reported bug related to some DBMS packages, I decided to follow recommendation on Miladin Modrakovic blog and revoked execute privileges from the public:

revoke execute on DBMS_JVM_EXP_PERMS from public;
revoke execute on DBMS_JAVA from public;
revoke execute on DBMS_JAVA_TEST from  public;

Posted on 09.02.2010, in Oracle and tagged . Bookmark the permalink. 1 Comment.

  1. Grants needed for export…
    Make sure you explicitly grant execute on those packages to non-DBA user running exp/imp, otherwise you’ll receive error ORA-00904, such as:

    ...
    About to export specified users ...
    . exporting pre-schema procedural objects and actions
    . exporting foreign function library names for user DISCADMIN 
    . exporting PUBLIC type synonyms
    EXP-00008: ORACLE error 904 encountered
    ORA-00904: : invalid identifier
    EXP-00000: Export terminated unsuccessfully
    

    It’s reasonable to allow DBA’s to run export:

    connect / as sysdba
    grant execute on DBMS_JVM_EXP_PERMS to dba;
    grant execute on DBMS_JAVA to dba;
    grant execute on DBMS_JAVA_TEST to dba;