I noticed an interesting security problem (exploit?) on Oracle Enterprise Manager Cloud Control 13cR2 (I tested on EM13cR1 and it also exists on there). When you create an Enterprise Manager administrator, you need to grant some special privileges to that administrator if you want them to access the performance pages, but it seems there’s an alternative way to access the performance pages without requiring extra privileges.
Let’s say I created a new administrator with default roles (EM_USER and PUBLIC), and granted “Connect Target Read-only” for a target “RAC database”. I also granted access to a named credential or shared database login credentials.
When the new administrator goes to “RAC database home”, they will see that all links related with performance pages are greyed out (disabled) on the menu. It’s the expected situation. We do not want them to access the performance pages and it seems they can’t.
On the other, when the new administrator, goes to database targets page, and click “the database” on the database load map, they will directly land on the performance page!
All menus related with the performance page is still disabled but our new administrator can just click on “Top Activity” link and access the top activity page too!
They can even see the running SQLs while they hold the pointer over the SQL ids on the Top SQL list. On the other hand, they won’t be able to connect nodes individually. If the target was not a RAC database, they will be able to land the performance page of the instance. So the problem is “database load map” does not check the privileges of the administrator.
I couldn’t decide if this is a security exploit or maybe a hidden feature 🙂