Documentation - V-270557

Title

Access to external executables must be disabled or restricted.

Description

<VulnDiscussion>The Oracle external procedure capability provides use of the Oracle process account outside the operation of the database management system (DBMS) process. It can be used to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external ...

Fix Text (Documentation Requirement)

If use of the external procedure agent is required, then authorize and document the requirement in the system documentation. If the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the system documentation. If use of the Oracle External Procedure agent is not required: 1. Stop the Oracle Listener process. 2. Remove all references to extproc in the listener.ora and tnsnames.ora files. 3. Alter the permissions on the executable files: Unix: Remove read/write/execute permissions from owner, group, and world. Windows: Remove Groups/Users from the executable (except groups SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS groups. If required: 1. Restrict extproc execution to only authorized applications. ...