Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15636 | DG0129-ORACLE11 | SV-24967r1_rule | IAIA-1 IAIA-2 | High |
Description |
---|
DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. |
STIG | Date |
---|---|
Oracle Database 11g Installation STIG | 2015-12-21 |
Check Text ( C-29867r1_chk ) |
---|
Oracle natively encrypts passwords in transit when using Oracle connection protocols and products (i.e. Oracle Client). Where other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network. If passwords are not encrypted, this is a Finding. Where only Oracle connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding. If determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding. |
Fix Text (F-25688r1_fix) |
---|
Utilize Oracle connection protocols and products (i.e. Oracle Client) where possible. Where other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used. If the database does not provide encryption for login events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination. |