Hi Community, we've just had a vulnerability assessment for our Oracle database and one finding is to revoke EXECUTE ANY PROCEDURE from OUTLN.
The CIS benchmark recommends to do the same but we are hesitant to revoke the privilege because it may cause instability of the feature.
CIS Oracle Database 12c Benchmark goes like this:
4.9 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN' (Scored)
Profile Applicability:
• Level 1 - RDBMS
Description:
Remove unneeded privileges from OUTLN
Rationale:
Migrated OUTLN users have more privileges than required.
We tried to reach out to Oracle support if this should really be revoked or if there are workarounds that can be applied, but this was the response:
"OUTLN requires this privilege in order for stored outlines to function. So revoking these privileges may create problems to Optimizer Plan Stability feature. So we do not recommend revoking this privilege, We would not support having the user altered as it would break the functionality of the user. if you do Oracle will not be liable for any damage caused by that action"
I believe that CIS benchmark has already considered the effect of revoking the privilege before recommending such vulnerability remediation.
Can someone shed light on this matter? Any inputs will be appreciated.
Thank you!