| Topic |
Versions |
Updated Date |
Comment |
| Accessible By Clause |
12.1 - 19c |
24-Jun-2019 |
Keep PL/SQL code from being executed independently rather than only as part of the application? |
| Data Control Language (DCL) |
All - 21c |
26-Dec-2020 |
DCL include the GRANT and REVOKE statements. This page is a quick security review. |
| Data Definition Language (DDL) |
All - 21c |
26-Dec-2020 |
Misuse of DDL commands can result in Denial of Service, Outages, and assist data theft. |
| Database Vault |
All - 19c |
01-Dec-2019 |
Database Vault is a valuable tool but it also has one major weakness: Learn about it now. |
| DBMS_ADVANCED_REWRITE |
10.1 - 21c |
20-Feb-2021 |
You wrote good code, tested it thoroughly, Too bad the optimizer isn't running it. |
| DBMS_ASSERT |
10.2 - 21c |
20-Feb-2021 |
An essential tool tool that, properly used, puts an end to SQL Injection attacks. |
| DBMS_AUDIT_MGMT |
11.1 - 21c |
20-Feb-2021 |
API to managing database auditing, be sure you carefully monitor its use. |
| DBMS_AUDIT_UTIL |
12.2 - 21c |
29-Feb-2021 |
Contains functions for formatting the output to audit views. |
| DBMS_CRYPTO |
10.1 - 21c |
24-Jul-2021 |
The issue with this package is that the docs are incomplete and what you don't know is dangerous. |
| DBMS_CRYPTO_FFI |
12.1 - 21c |
24-Jul-2021 |
There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO. |
| DBMS_CRYPTO_INTERNAL |
12.2 - 21c |
24-Jul-2021 |
There are no known issues specific to this package but rather risks associated with DBMS_CRYPTO. |
| DBMS_DEBUG_JDWP |
9.0 - 21c |
24-Jul-2021 |
Connects/disconnects debug using the jdwp protocol. Note that this package requires a database ACL. |
| DBMS_DISRUPT |
12.2 - 21c |
26-Dec-2020 |
Application Resilience API PL/SQL interface for disrupting sessions and services. |
| DBMS_DISTRIBUTED_TRUST_ADMIN |
9.0 - 21c |
26-Dec-2020 |
Maintains a database's "Trusted Server" list. |
| DBMS_FGA |
9.0 - 21c |
24-Jul-2021 |
If you are not using DBMS_FGA you are most likely not in compliance with HIPAA or "best" practices. |
| DBMS_LOG |
12.1 - 21c |
24-Jul-2021 |
A built-in API for writing to the ALERT and/or System logs. |
| DBMS_LOGMNR |
8.1.5 - 19c |
08-Jul-2019 |
Every database, relational/non-relational has a transaction log. the more you learn the safer you are. |
| DBMS_METADATA |
9.0 - 19c |
01-Jun-2019 |
Sometimes it is hard to choose which of the Oracle packages is the worst security compromise. |
| DBMS_NETWORK_ACL_ADMIN |
10.1 - 19c |
29-Nov-2019 |
Use to defines and administers network ACEs and ACLs. |
| DBMS_NETWORK_ACL_UTILITY |
11.1 - 19c |
26-Nov-2019 |
Utility functions that facilitate managing network access permissions. |
| DBMS_PQ_INTERNAL |
12.2 - 19c |
08-Jul-2019 |
An undocumented unsupported package and we are not sure what it can do so be sure n one uses it. |
| DBMS_PREPROCESSOR |
10.2 - 19c |
02-Dec-2019 |
A partially documented package that can retrieve post-processed source code. |
| DBMS_PRIVILEGE_CAPTURE |
12.1 - 19c |
11-Jul-2019 |
Knowing who has what privileges can assist or thwart an attack. |
| DBMS_PRIV_CAPTURE |
12.1 - 19c |
18-Dec-2019 |
Capture privileges used in Oracle defined PL/SQL packages. Valuable information for an attack. |
| DBMS_PROFILER |
8.1 - 19c |
18-Dec-2019 |
Read this much in the docs: "Provides an interface to PL/SQL application code" to anticipate an issue. |
| DBMS_PSWMG_IMPORT |
N/A - 19c |
14-Jun-2019 |
Undocumented but has capabilities related to importing and purging password history. |
| DBMS_SFW_ACL_ADMIN |
12.2-19c |
13-Nov-2019 |
APIs to administer service Access Control List for Exadata and ExaCC Virtual Machines (VMs). |
| DBMS_SQLDIAG |
11.1-21c |
20-Feb-2021 |
How could SQL Diagnostics be an issue? In many many ways. |
| DBMS_SQLHASH |
12.1 - 21c |
20-Feb-2021 |
Supported cryptographic hash function for SQL statements. |
| DBMS_SQLQ |
19c |
28-Jun-2019 |
New functionality in 19c and again Oracle grants execute to PUBLIC: An easy Denial of Service Attack. |
| DBMS_SQL_TRANSLATOR |
12.1 - 19c |
15-Dec-2019 |
You wrote good code and tested it thoroughly, Too bad the optimizer is trashing the database when it runs. |
| DBMS_SQL_TRANSLATOR_EXPORT |
12.1 - 19c |
21-Dec-2019 |
This internal support utility has EXECUTE granted to PUBLIC: And it is more frightening than that. |
| DBMS_SUPPORT |
7.2 - 21c |
20-Feb-2021 |
Tracing reveals information that is of value to attackers. |
| DBMS_TRACE |
8.1.5 - 21c |
20-Feb-2021 |
Tracing reveals information that is of value to attackers. |
| DBMS_UTILITY |
7.3.4 - 21c |
19-Feb-2021 |
Much of this package is essentially harmless utilities but there is danger hiding there too. |
| DBMS_WARNING |
10.1 - 19c |
03-Jun-2019 |
PL/SQL Warnings are disabled by default, they shouldn't be. This is the API for managing them. |
| DBMS_WARNING_INTERNAL |
10.1 - 19c |
14-Jun-2019 |
An undocumented supporting package for DBMS_WARNING. |
| DBMS_XDS |
18.1 - 19c |
12-Nov-2019 |
An undocumented supporting package for Oracle Advanced Security. |
| DBMS_XDS_INT |
18.1 - 19c |
12-Nov-2019 |
An undocumented supporting package for Oracle Advanced Security. |
| DBMS_XMLQUERY |
9.2 - 19c |
08-Mar-2020 |
The overloaded NEWCONTEXT function has been used for exploits first demonstrated at Defcon 2011 |
| DBMS_XSLPROCESSOR |
10.1 - 19c |
27-May-2019 |
This package contains a vulnerability that can aide data exfiltration if not addressed. |
| DBMS_XS_PRINCIPALS |
12.1 - 19c |
In Development |
TBD |
| DBMS_XS_SESSIONS |
12.1 - 19c |
27-Dec-2019 |
Another RAS package with EXECUTE granted to PUBLIC. Learn how to protect your database from it. |
| DBMS_XS_SESSIONS_FFI |
12.1 - 19c |
In Development |
TBD |
| EXECSEC.SQL |
12.1 - 21c |
20-Feb-2021 |
This script is used by Oracle to execute SECCONF.SQL with or without Kernel Auditing |
| Feature Usage Procedures |
11.2 - 21c |
04-Jan-2021 |
This page is a review of the security-focused Feature Usage procedures owned by SYS and LBACSYS |
| Fine Grained Auditing |
9.0 - 19c |
26-Nov-2019 |
If you are not using DBMS_FGA you are most likely not in compliance with HIPAA or "best" practices. |
| Fine Grained Data Security |
18c - 20c |
26-Mar-2020 |
One way to minimize the risk of becoming the next Experian |
| FIPS 140 |
18c - 19c |
09-Nov-2019 |
FIPS-140 is the US Federal Information Processing computer security standard: Don't leave home without it. |
| INSTEAD-OF
Triggers |
8.0 - 21c |
22-Jan-2022 |
Instead-Of
Triggers can be used to to obfuscate malicious activities |
| Killing Sessions |
All - 21c |
02-Dec-2019 |
An essential skill all DBAs must have during a breach is knowing how to kill sessions. Learn it well. |
| LBAC_CACHE |
10.1 - 21c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_EVENTS |
10.1 - 21c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_EXP |
12.2 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_LGSTNDBY_UTIL |
10.1 - 21c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_POLICY_ADMIN |
10.1 - 20c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_PRIVS |
10.1 - 21c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_RLS |
10.1 - 21c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_SERVICES |
10.1 - 21c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_SESSION |
10.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_STANDARD |
10.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC_SYSDBA |
10.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package one of its components. |
| LBAC_UTL |
10.1 - 20c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC$SA |
10.1 - 20c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| LBAC$SA_LABELS |
10.1 - 20c |
19-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| Lockdown Profiles |
12.2 - 19c |
03-Jul-2019 |
This single feature is important enough to justify moving to the new Container architecture. |
| Native Dynamic SQL |
8.1.5 - 21c |
21-Jul-2021 |
Constructing active SQL from strings is very powerful but can also hide dangerous code. |
| NO AUTHENTICATION |
All - 21c |
11-Dec-2019 |
Any user, human or mechid, that is not a proxy user account is an unnecessary security risk. |
| Object Privileges |
All - 21c |
26-May-2019 |
Some privileges have changed since version 7.3.4 but most have not and the principles are the same. |
| OLS$DATAPUMP |
10.1 - 20c |
03-Dec-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| OLS_DIP_NTFY |
10.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| OLS_ENFORCEMENT |
10.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| OLS_UTIL_WRAPPER |
10.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| Oracle Label Security |
10.2 - 19c |
14-May-2020 |
Label security is vastly underappreciated by Oracle's customers. Here is a key to its components |
| ORAPWD Utility |
All - 21c |
18-Jan-2020 |
Oracle Password Utility |
| OWM_ASSERT_PKG |
12.2 - 19c |
14-Jul-2019 |
OWM stands for Oracle Wallet Manager ..."ASSERT" indicates a risk of SQL Injection attack. |
| PL/SQL Warnings |
10.1 - 19c |
03-Jun-2019 |
Invaluable and essentially never enabled. You should enable them in every database you have. |
| Profiles |
All - 21c |
26-Dec-2020 |
Profiles are a powerful security tool when used correctly. |
| Proxy Users |
All - 21c |
22-Jan-2022 |
Any user, human or mechid, that is not a proxy user account is an unnecessary security risk. |
| Real Application Security |
12.1 - 19c |
18-Jan-2020 |
A single point of access to all of our RAS related monographs. |
| Real Application Security Privileges |
12.1 - 19c |
29-Dec-2019 |
A review under development of RAS Privileges and what little we know about them: Which is very little. |
| Recycle Bin |
10.1 - 21c |
20-Feb-2021 |
Dropping a table does not mean that your data is gone. |
| Ref Cursors |
7.3 - 21c |
22-Jul-2021 |
Constructing active SQL from strings is very powerful but can also hide dangerous code. |
| SA_AUDIT_ADMIN |
12.1 - 20c |
20-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SA_COMPONENTS |
12.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SA_LABEL_ADMIN |
12.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SA_POLICY_ADMIN |
12.1 - 20c |
19-May-2020 |
This object is a PUBLIC SYNONYM for LBAC_POLICY_ADMIN |
| SA_SESSION |
12.1 - 20c |
20-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SA_SYSDBA |
12.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SA_USER_ADMIN |
12.1 - 20c |
18-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SA_UTL |
12.1 - 20c |
21-May-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| SECCONF.SQL |
12.1 - 21c |
20-Feb-2021 |
Oracle added a new Secure Configuration script as of 12cR1: Understand what it does and when it is run. |
| Secure Configuration |
12.1 - 21c |
20-Feb-2021 |
Oracle added a new Secure Configuration script as of 12cR1: Understand what it does and when it is run. |
| Security "Best Practices" |
All - 21c |
26-Dec-2019 |
Our guide, still in development, as to what you should be focusing on to protect your data and databases. |
| Startup Parameters |
All - 21c |
09-Apr-2020 |
Many startup (initialization) parameters impact database security. |
| System Privileges |
All - 21c |
26-May-2019 |
Some privileges have changed since version 7.3.4 but many have not and the principles are the same. |
| SYS_CONTEXT Functions |
9.2 - 19c |
19-May-2020 |
Valuable functions that should be incorporated into auditing, exception handling, and logging. |
| TO_LABEL_LIST |
10.1 - 21c |
21-Dec-2020 |
Label security is vastly underappreciated by Oracle's customers: This package is one of its components. |
| Users |
All - 21c |
11-Dec-2019 |
Any user, human or mechid, that is not a proxy user account is an unnecessary security risk. |
| USER_APPLICATION_ROLES |
21c |
09-May-2021 |
The USER_APPLICATION_ROLES view has been added in 21c. It that a good thing? |
| UTL_ENCODE |
9.0.1 - 21c |
20-Feb-2021 |
Functions that encode data into a standard encoded format: Perfect for a substitution attack. |
| UTL_FILE |
7.3.4 - 21c |
20-Feb-2021 |
This documented package can read and writes files to and from file system with the privileges of "oracle". |
| UTL_HTTP |
7.3.4 - 21c |
20-Feb-2021 |
What could possibly create an issue downloading internet content directly into an Oracle database? |
| UTL_INADDR Exploit |
8.1.7 - 21c |
20-Feb-2021 |
This documented package can be used to interrogate internal and external DNS servers to identify targets. |
| UTL_I18N |
10.1 - 21c |
20-Feb-2021 |
Intended to support globalization but can also support substitution attacks. |
| UTL_MAIL |
2002 - 21c |
20-Feb-2021 |
This documented package can send data directly from your database to anywhere. |
| UTL_MAIL_INTERNAL |
2002 - 21c |
20-Feb-2021 |
There are no known issues specific to this package but rather risks associated with UTL_MAIL. |
| UTL_RAW |
7.3 - 21c |
20-Feb-2021 |
Valuable functions that should be incorporated into auditing, exception handling, and logging. |
| UTL_SMTP |
8.1.7 - 21c |
20-Feb-2021 |
This documented package can, by default, send data directly from your database to anywhere. |
| UTL_TCP |
8.1.7 - 21c |
20-Feb-2021 |
What the harm in making a TCP/IP connection from your database without authorization? Find out. |
| XS_ACL |
11.2 - 21c |
26-Jul-2021 |
A poorly documented piece of Real Application Security: Protect yourself from it. |
| XS_ACL_INT |
11.2 - 21c |
26-Jul-2021 |
Other than missing an ACCESSIBLE BY clause this should not be a cause for major concern. |
| XS_ADMIN_INT |
12.1 - 19c |
02-Jan-2020 |
Other than missing an ACCESSIBLE BY clause this should not be a cause for major concern. |
| XS_ADMIN_UTIL |
12.1 - 19c |
29-Dec-2019 |
Ready for a package that grants security privileges and has EXECUTE granted to PUBLIC? We aren't. |
| XS_ADMIN_UTL_INT |
12.1 - 19c |
In Development |
TBD |
| XS_DATA_SECURITY |
12.1 - 19c |
In Development |
TBD |
| S_DATA_SECURITY_INT |
12.1 - 19c |
In Development |
TBD |
| XS_DATA_SECURITY_UTIL |
12.1 - 19c |
18-Jan-2020 |
Part of RAS that can be used to schedule automatic refreshment for static ACL |
| XS_DATA_SECURITY_UTIL_INT |
12.1 - 19c |
In Development |
TBD |
| XS_DIAG |
12.1 - 19c |
In Development |
TBD |
| XS_DIAG_INT |
12.1 - 19c |
In Development |
TBD |
| XS_MTCACHE_INT |
12.1 - 19c |
In Development |
TBD |
| XS_NAMESPACE |
12.1 - 19c |
In Development |
TBD |
| XS_NAMESPACE_INT |
12.1 - 19c |
In Development |
TBD |
| XS_PRINCIPAL |
12.1 - 19c |
In Development |
TBD |
| XS_PRINCIPAL_INT |
12.1 - 19c |
In Development |
TBD |
| XS_ROLESET |
12.1 - 19c |
In Development |
TBD |
| XS_ROLESET_INT |
12.1 - 19c |
In Development |
TBD |
| XS_SECURITY_CLASS |
12.1 - 19c |
In Development |
TBD |
| XS_SECURITY_CLASS_INT |
12.1 - 19c |
In Development |
TBD |