STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.

DISA Rule

SV-220301r397843_rule

Vulnerability Number

V-220301

Group Title

SRG-APP-000266-DB-000162

Rule Version

O121-C2-019900

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

Configure DBMS and custom database and application code not to divulge sensitive information or information useful for system identification in error information.

Check Contents

Check DBMS settings and custom database and application code to verify error messages do not contain information beyond what is needed for troubleshooting the issue.

If database errors contain PII data, sensitive business data, or information useful for identifying the host system, this is a finding.

Notes on Oracle's approach to this issue: Out of the box, Oracle covers this. For example, if a user does not have access to a table, the error is just that the table or view does not exist. The Oracle database is not going to display a Social Security Number in an error code unless an application is programmed to do so. Oracle applications will not expose the actual transactional data to a screen. The only way Oracle will capture this information is to enable specific logging levels. Custom code would require a review to ensure compliance.

Vulnerability Number

V-220301

Documentable

False

Rule Version

O121-C2-019900

Severity Override Guidance

Check DBMS settings and custom database and application code to verify error messages do not contain information beyond what is needed for troubleshooting the issue.

If database errors contain PII data, sensitive business data, or information useful for identifying the host system, this is a finding.

Notes on Oracle's approach to this issue: Out of the box, Oracle covers this. For example, if a user does not have access to a table, the error is just that the table or view does not exist. The Oracle database is not going to display a Social Security Number in an error code unless an application is programmed to do so. Oracle applications will not expose the actual transactional data to a screen. The only way Oracle will capture this information is to enable specific logging levels. Custom code would require a review to ensure compliance.

Check Content Reference

M

Target Key

4059

Comments