STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

DISA Rule

SV-235191r638812_rule

Vulnerability Number

V-235191

Group Title

SRG-APP-000427-DB-000385

Rule Version

MYS8-00-011900

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Remove any certificate that was not issued by a valid DoD certificate authority.

Contact the organization's certificate issuer and request a new certificate that is issued by a valid DoD certificate authorities.

Check Contents

To run MySQL in SSL mode, obtain a valid certificate signed by a single certificate authority.

Before starting the MySQL database in SSL mode, verify the certificate used is issued by a valid DoD certificate authority.

Run this command:
openssl x509 -in <path_to_certificate_pem_file> -text | grep -i "issuer"

If there is any issuer present in the certificate that is not a DoD-approved certificate authority, this is a finding.

Vulnerability Number

V-235191

Documentable

False

Rule Version

MYS8-00-011900

Severity Override Guidance

To run MySQL in SSL mode, obtain a valid certificate signed by a single certificate authority.

Before starting the MySQL database in SSL mode, verify the certificate used is issued by a valid DoD certificate authority.

Run this command:
openssl x509 -in <path_to_certificate_pem_file> -text | grep -i "issuer"

If there is any issuer present in the certificate that is not a DoD-approved certificate authority, this is a finding.

Check Content Reference

M

Target Key

5277

Comments