STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Network client connections must be restricted to supported versions.

DISA Rule

SV-219875r401224_rule

Vulnerability Number

V-219875

Group Title

SRG-APP-000516-DB-000363

Rule Version

O121-BP-026600

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the SQLNET.ORA file to add or edit the entries:

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12
SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 12

Set the value to 12 or higher.
Valid values for SQLNET.ALLOWED_LOGON_VERSION_SERVER are: 12 and 12a

Valid values for SQLNET.ALLOWED_LOGON_VERSION_CLIENT are: 12 and 12a

For more information on sqlnet.ora parameters refer to the following document:
"Database Net Services Reference"
http://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF006

For more information on configuring authentication refer to the following document:
"Oracle Database 12C Password Version Configuration Guidelines"
https://docs.oracle.com/database/121/DBSEG/authentication.htm#GUID-E6EE45DD-1E3B-4028-B8DE-65D6AA373821

Check Contents

Note: The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c. This parameter has been replaced with two new Oracle Net Services parameters:

SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT

View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable. (Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)

Locate the following entries:

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12
SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 12

If the parameters do not exist, this is a finding.

If the parameters are not set to a value of 12 or 12a, this is a finding.

Note: Attempting to connect with a client version lower than specified in these parameters may result in a misleading error:
ORA-01017: invalid username/password: logon denied

Vulnerability Number

V-219875

Documentable

False

Rule Version

O121-BP-026600

Severity Override Guidance

Note: The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c. This parameter has been replaced with two new Oracle Net Services parameters:

SQLNET.ALLOWED_LOGON_VERSION_SERVER
SQLNET.ALLOWED_LOGON_VERSION_CLIENT

View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable. (Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)

Locate the following entries:

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12
SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 12

If the parameters do not exist, this is a finding.

If the parameters are not set to a value of 12 or 12a, this is a finding.

Note: Attempting to connect with a client version lower than specified in these parameters may result in a misleading error:
ORA-01017: invalid username/password: logon denied

Check Content Reference

M

Target Key

4059

Comments