The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16053 | DO6750-ORACLE11 | SV-55940r2_rule | Medium |
| Description |
|---|
| The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or errant client connection. The sec_protocol_error_further_action initialization parameter can be set to delay or drop acceptance of bad packets from a client in order to support the continued function of other non-problematic connections. |
| STIG | Date |
|---|---|
| Oracle Database 11g Instance STIG | 2017-06-29 |
Details
| Check Text ( C-17062r2_chk ) |
|---|
| From SQL*Plus: select upper(value) from v$parameter where name = 'sec_protocol_error_further_action'; If the value returned does not include DROP or DELAY, this is a Finding. |
| Fix Text (F-16156r1_fix) |
|---|
| Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY. DROP provides better protection and is recommended. From SQL*Plus: alter system set sec_protocol_error_further_action = 'drop' scope = spfile; OR alter system set sec_protocol_error_further_action = 'drop,3' scope = spfile; NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’ to the specified number before forcefully terminating the connection. The above SQL*Plus command will set the parameter to take effect at next system startup. |