If passwords are used for authentication, the Oracle Database must transmit only encrypted representations of passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270565 | O19C-00-014900 | SV-270565r1064973_rule | Medium |
| Description |
| The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates. Authentication based on user ID and password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval. In such cases, passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Database management system (DBMS) passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. Transport Layer Security (TLS) is the successor protocol to Secure Sockets Layer (SSL). Although the Oracle configuration parameters have names including "SSL", such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS. |
| STIG | Date |
| Oracle Database 19c Security Technical Implementation Guide | 2025-06-24 |
Details
| Check Text (C-74598r1064971_chk) |
| If all accounts are authenticated by the OS or an enterprise-level authentication/access mechanism and not by Oracle, this is not a finding. Review configuration settings for encrypting passwords in transit across the network. If passwords are not encrypted, this is a finding. The database supports PKI-based authentication by using digital certificates over TLS in addition to the native encryption and data integrity capabilities of these protocols. Oracle provides a complete PKI that is based on RSA Security, Inc., Public-Key Cryptography Standards, and which interoperates with Oracle servers and clients. The database uses a wallet that is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by TLS. In an Oracle environment, every entity that communicates over TLS must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates. Verify that the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following to ensure TLS is installed: WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_cipher_suiteExample) SSL_VERSION = 3.0 SSL_CLIENT_AUTHENTICATION=TRUE If the sqlnet.ora file does not contain such entries, this is a finding. |
| Fix Text (F-74499r1064972_fix) |
| Configure encryption for transmission of passwords across the network. Configure the database to support TLS protocols and the Oracle Wallet to store authentication and signing credentials, including private keys. More information can be found at https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-secure-sockets-layer-authentication.html#GUID-EF8DEC69-C8BE-462B-ABDD-E621914E617E. |