Oracle accounts should not have permission to view the table SYS.LINK$ which contain unencrypted database link passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2587 | DO3686-ORACLE10 | SV-24939r2_rule | ECAN-1 | High |
| Description |
|---|
| The SYS.LINK$ table contains unencrypted passwords to enable transparent connections to remote databases. In addition, remote database connections themselves can provide information to unauthorized users about remote databases that may assist them in furthering unauthorized access. |
| STIG | Date |
|---|---|
| Oracle Database 10g Instance STIG | 2014-04-02 |
Details
| Check Text ( C-26566r2_chk ) |
|---|
| If the database version is 10.2 or later, this check is Not Applicable. From SQL*Plus: select grantee||': '||privilege from dba_tab_privs where grantee <> 'DELETE_CATALOG_ROLE' and table_name='LINK$' and grantee not in (select grantee from dba_role_privs where granted_role='DBA'); If any records are returned, this is a Finding. |
| Fix Text (F-22859r1_fix) |
|---|
| There are no workarounds to protect against this potential vulnerability but it is possible to reduce the potential impact by performing the steps below: 1. Drop the database link and create a link without specifying an account and password. To drop and recreate a database link without hard coding the password, execute the commands: From SQL*Plus: drop database link [link name]; create database link [link name] using [connection string]; 2. Revoke permissions from accounts and roles: From SQL*Plus: revoke select on SYS.LINK$ from [account or role]; |