| Oracle OWM_ASSERT_PKG Built-In Package Versions 12.2 - 19.3 |
|---|
| Security Advisory | ||||||||||||||||||||||
| OWM stands for Oracle Wallet Manager. When you see the word "ASSERT" in an Oracle object you should be alert to a relationship to a possible SQL Injection attack. The package is undocumented but caused us a bit of concern in versions 12.2 through 18.3 because all of the functionality could be accessed directly by making a call directly to the package. As of database version 19.3 Oracle has made every object in the package subject to an ACCESSIBLE BY clause so that it can no longer be accessed directly by either SYS or WMSYS. So, while version 12.2 through 18.3 are still in use we will keep this page in the code library as a warning to those that have these versions. |
||||||||||||||||||||||
| Recommended Security Rules | ||||||||||||||||||||||
NEVER
|
||||||||||||||||||||||
| How Oracle Works | ||||||||||||||||||||||
| ACCESSIBLE BY Clause | The How Oracle Works section of this page is not necessary as we are not aware of any specific risk related to this package and those generic concerns we would
normally have when functionality appears related to Oracle Wallet Manager and SQL Injection has been mitigated as of version 19c through Oracle's use of the ACCESSIBLE BY clause. The ACCESSIBLE BY clause was added to the Oracle database as of version 12.1 and should be considered mandatory any time a PL/SQL object is stored in the database unless that object is intended to be called directly from the command line by any user no matter who they are, why they wish to do so, or by an application. And, the PL/SQL object has been carefully vetted and cannot possibly pose a security risk. Use the link at page bottom to learn more about the ACCESSIBLE BY clause here at DBSecWorx and also review Oracle's online docs and Tim Hall's excellent page on the syntax. |
|||||||||||||||||||||
| OWM_ASSERT_PKG Package Information | ||||||||||||||||||||||
| AUTHID | DEFINER | |||||||||||||||||||||
| Dependencies |
|
|||||||||||||||||||||
| Documented | No | |||||||||||||||||||||
| First Available | 12.2 | |||||||||||||||||||||
| Security Model | Owned by WMSYS with no privileges granted. As of version 19c this package is now protected with the ACCESSIBLE BY clause |
|||||||||||||||||||||
| Source | {ORACLE_HOME}/rdbms/admin/owmasrts.plb | |||||||||||||||||||||
| Subprograms | ||||||||||||||||||||||
| ASSERT | ||||||||||||||||||||||
| Undocumented In versions 12.2 through 18.3 this function was not protected with the ACCESSIBLE BY clause |
owm_assert_pkg.assert( |
|||||||||||||||||||||
SQL> sho user |
||||||||||||||||||||||
| ASSERT_WS | ||||||||||||||||||||||
| Returns the var string enclosed in single quotes whether TRUE or FALSE In versions 12.2 through 18.3 this function was not protected with the ACCESSIBLE BY clause |
owm_assert_pkg.assert_ws( |
|||||||||||||||||||||
SQL> DECLARE |
||||||||||||||||||||||
| ASSERT_WS_NEQ | ||||||||||||||||||||||
| Appears to return the test string unchanged whether TRUE or FALSE In versions 12.2 through 18.3 this function was not protected with the ACCESSIBLE BY clause |
owm_assert_pkg.assert_ws_neq( |
|||||||||||||||||||||
DECLARE |
||||||||||||||||||||||
| NOOP | ||||||||||||||||||||||
| Undocumented Overload 1 Appears to return the test string unchanged whether TRUE or FALSE In versions 12.2 through 18.3 this function was not protected with the ACCESSIBLE BY clause |
owm_assert_pkg.noop( |
|||||||||||||||||||||
DECLARE |
||||||||||||||||||||||
| Overload 2 In versions 12.2 through 18.3 this function was not protected with the ACCESSIBLE BY clause |
owm_assert_pkg.noop( |
|||||||||||||||||||||
DECLARE |
||||||||||||||||||||||
| VERIFYCALLSTACK | ||||||||||||||||||||||
| Undocumented In versions 12.2 through 18.3 this function was not protected with the ACCESSIBLE BY clause |
owm_assert_pkg.verifycallstack; |
|||||||||||||||||||||
exec wmsys.owm_assert_pkg.verifycallstack; |
||||||||||||||||||||||