UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle Application Express or Oracle HTML DB should not be installed on a production database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16055 DO6753-ORACLE11 SV-24961r1_rule ECSD-1 ECSD-2 Medium
Description
The Oracle Application Express, formerly called HTML DB, is an application development component installed by default with Oracle. Unauthorized application development can introduce a variety of vulnerabilities to the database.
STIG Date
Oracle Database 11g Installation STIG 2014-04-02

Details

Check Text ( C-28654r1_chk )
From SQL*Plus:
select count(*) from dba_users where username like 'FLOWS_%';

If the value returned is not 0 and the database is a production system, this is a Finding.
Fix Text (F-25681r1_fix)
Remove Application Express using the instruction found in Oracle MetaLink Note 558340.1 from production DBMS systems.

For new installations, select custom installation and de-select Application Express from the selectable options if available.