Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16053 | DO6750-ORACLE11 | SV-55940r2_rule | Medium |
Description |
---|
The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or errant client connection. The sec_protocol_error_further_action initialization parameter can be set to delay or drop acceptance of bad packets from a client in order to support the continued function of other non-problematic connections. |
STIG | Date |
---|---|
Oracle Database 11g Instance STIG | 2016-12-14 |
Check Text ( C-17062r2_chk ) |
---|
From SQL*Plus: select upper(value) from v$parameter where name = 'sec_protocol_error_further_action'; If the value returned does not include DROP or DELAY, this is a Finding. |
Fix Text (F-16156r1_fix) |
---|
Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY. DROP provides better protection and is recommended. From SQL*Plus: alter system set sec_protocol_error_further_action = 'drop' scope = spfile; OR alter system set sec_protocol_error_further_action = 'drop,3' scope = spfile; NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’ to the specified number before forcefully terminating the connection. The above SQL*Plus command will set the parameter to take effect at next system startup. |