EM13c: Unauthorized Access to Performance Pages

I noticed an interesting security problem (exploit?) on Oracle Enterprise Manager Cloud Control 13cR2 (I tested on EM13cR1 and it also exists on there). When you create an Enterprise Manager administrator, you need to grant some special privileges to that administrator if you want them to access the performance pages, but it seems there’s an alternative way to access the performance pages without requiring extra privileges.

Let’s say I created a new administrator with default roles (EM_USER and PUBLIC), and granted “Connect Target Read-only” for a target “RAC database”. I also granted access to a named credential or shared database login credentials.

performancemenu

When the new administrator goes to “RAC database home”, they will see that all links related with performance pages are greyed out (disabled) on the menu. It’s the expected situation. We do not want them to access the performance pages and it seems they can’t.

databaseloadmap

On the other, when the new administrator, goes to database targets page, and click “the database” on the database load map, they will directly land on the performance page!

performancehome

All menus related with the performance page is still disabled but our new administrator can just click on “Top Activity” link and access the top activity page too!

topactivitypage

They can even see the running SQLs while they hold the pointer over the SQL ids on the Top SQL list. On the other hand, they won’t be able to connect nodes individually. If the target was not a RAC database, they will be able to land the performance page of the instance. So the problem is “database load map” does not check the privileges of the administrator.

I couldn’t decide if this is a security exploit or maybe a hidden feature 🙂

Please share
  • 3
  •  
  •  
  •  
  •  
  •  

AWS Big Data Specialist. Oracle Certified Professional (OCP) for EBS R12, Oracle 10g and 11g. Co-author of "Expert Oracle Enterprise Manager 12c" book published by Apress. Awarded as Oracle ACE (in 2011) and Oracle ACE Director (in 2016) for the continuous contributions to the Oracle users community. Founding member, and vice president of Turkish Oracle User Group (TROUG). Presented at various international conferences including Oracle Open World.

1 Comment

  1. Hello Gokhan

    It would be nice to have some feedback from Oracle Corp on that issue, because those of us that have Standard Edition could incur unwanted License charges unwittingly.

    Thank you for pointing that out, and let’s hope Oracle does something about it.

Leave Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.