UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16053 DO6750-ORACLE11 SV-55940r2_rule ECLP-1 Medium
Description
The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or errant client connection. The sec_protocol_error_further_action initialization parameter can be set to delay or drop acceptance of bad packets from a client in order to support the continued function of other non-problematic connections.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-17062r2_chk )
From SQL*Plus:

select upper(value) from v$parameter
where name = 'sec_protocol_error_further_action';

If the value returned does not include DROP or DELAY, this is a Finding.
Fix Text (F-16156r1_fix)
Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY.

DROP provides better protection and is recommended.

From SQL*Plus:

alter system set sec_protocol_error_further_action = 'drop' scope = spfile;
OR
alter system set sec_protocol_error_further_action = 'drop,3' scope = spfile;

NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’ to the specified number before forcefully terminating the connection.

The above SQL*Plus command will set the parameter to take effect at next system startup.