Access to external executables must be disabled or restricted.
An XCCDF Rule
Description
<VulnDiscussion>The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external procedure agent may be run directly from the database and not require use of the Oracle listener. This reduces the risk of unauthorized access to the procedure from outside of the database process.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-220288r879587_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
If use of the external procedure agent is required, then authorize and document the requirement in the System Security Plan.
If the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the System Security Plan.
If use of the Oracle External Procedure agent is not required: