Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-219841	O121-BP-023000	SV-219841r961863_rule		Medium

Description

Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where either or both systems are located in the DMZ (or on networks external to DoD), network communications between the systems must be encrypted.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2025-02-12

Details

Check Text (C-21552r533062_chk)

Review the System Security Plan for remote applications that access and use the database.

For each remote application or application server, determine whether communications between it and the DBMS are encrypted. If any are not encrypted, this is a finding.

Fix Text (F-21551r533063_fix)

Configure communications between the DBMS and remote applications/application servers to use DoD-approved encryption.