/*
   Argeniss - Information Security
   http://www.argeniss.com
   info>at<argeniss.com


   Workaround for vulnerability on CWM2_OLAP_AW_AWUTIL package.
   No patch available for Oracle Database Server 9iR2 only available for 10g, Oracle will release a patch on October.
   http://www.argeniss.com/research.html
   http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
*/

-- WARNING: This workaround may cause your application to work incorrectly
-- if it depends (directly or indirectly) on any of the affected database objects.

-- REVOKE_EXECUTE_PRIV: This procedure revokes all the EXECUTE privileges granted
-- to the database object identified by the parameters P_OWNER and P_OBJECT_NAME.
CREATE OR REPLACE PROCEDURE REVOKE_EXECUTE_PRIV (P_OWNER IN VARCHAR2,
 P_OBJECT_NAME IN VARCHAR2) IS

CURSOR my_cur IS
select grantee from dba_tab_privs where owner = P_OWNER AND TABLE_NAME = P_OBJECT_NAME;

BEGIN
  FOR my_rec IN my_cur
  LOOP
    DBMS_OUTPUT.PUT_LINE ('Revoking EXECUTE privilege from ' || my_rec.grantee);
    EXECUTE IMMEDIATE 'REVOKE EXECUTE ON ' || P_OWNER || '.' || P_OBJECT_NAME ||' FROM ' || my_rec.grantee || ' FORCE';
  END LOOP;
END REVOKE_EXECUTE_PRIV;
/


-- To remove all execute privileges granted on vulnerable objects execute this PL/SQL:
BEGIN
  REVOKE_EXECUTE_PRIV ('OLAPSYS', 'CWM2_OLAP_AW_AWUTIL');
END;
/


-- To remove execute privilege granted only to PUBLIC role on vulnerable objects
-- execute this PL/SQL:
REVOKE EXECUTE ON OLAPSYS.CWM2_OLAP_AW_AWUTIL FROM PUBLIC FORCE;