UCF STIG Viewer Logo

Passwords should be encrypted when transmitted across the network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15636 DG0129-ORACLE10 SV-24966r1_rule IAIA-1 IAIA-2 High
Description
DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.
STIG Date
Oracle Database 10g Installation STIG 2014-04-02

Details

Check Text ( C-20437r1_chk )
Oracle natively encrypts passwords in transit when using Oracle connection protocols and products (i.e. Oracle Client).

Where other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network.

If passwords are not encrypted, this is a Finding.

Where only Oracle connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding.

If determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding.
Fix Text (F-24533r1_fix)
Utilize Oracle connection protocols and products (i.e. Oracle Client) where possible.

Where other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used.

If the database does not provide encryption for login events natively, employ encryption at the OS or network level.

Ensure passwords remain encrypted from source to destination.