UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle accounts should not have permission to view the table SYS.LINK$ which contain unencrypted database link passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2587 DO3686-ORACLE10 SV-24939r2_rule ECAN-1 High
Description
The SYS.LINK$ table contains unencrypted passwords to enable transparent connections to remote databases. In addition, remote database connections themselves can provide information to unauthorized users about remote databases that may assist them in furthering unauthorized access.
STIG Date
Oracle Database 10g Instance STIG 2014-04-02

Details

Check Text ( C-26566r2_chk )
If the database version is 10.2 or later, this check is Not Applicable. From SQL*Plus: select grantee||': '||privilege from dba_tab_privs where grantee <> 'DELETE_CATALOG_ROLE' and table_name='LINK$' and grantee not in (select grantee from dba_role_privs where granted_role='DBA'); If any records are returned, this is a Finding.
Fix Text (F-22859r1_fix)
There are no workarounds to protect against this potential vulnerability but it is possible to reduce the potential impact by performing the steps below: 1. Drop the database link and create a link without specifying an account and password. To drop and recreate a database link without hard coding the password, execute the commands: From SQL*Plus: drop database link [link name]; create database link [link name] using [connection string]; 2. Revoke permissions from accounts and roles: From SQL*Plus: revoke select on SYS.LINK$ from [account or role];