DO6750-ORACLE11 - The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP - 'sec_protocol_error_further_action = drop or delay'

Information

The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or errant client connection. The sec_protocol_error_further_action initialization parameter can be set to delay or drop acceptance of bad packets from a client in order to support the continued function of other non-problematic connections.

Solution

Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY.

DROP provides better protection and is recommended.

From SQL*Plus:

alter system set sec_protocol_error_further_action = 'drop' scope = spfile;
OR
alter system set sec_protocol_error_further_action = 'drop,3' scope = spfile;

NOTE: The addition of the ',3' above further limits the number of 'bad packets' to the specified number before forcefully terminating the connection.

The above SQL*Plus command will set the parameter to take effect at next system startup.

Item Details

Audit Name: DISA STIG Oracle 11 Instance v9r1 Database

References: CAT|II, Rule-ID|SV-55940r2_rule, STIG-ID|DO6750-ORACLE11, Vuln-ID|V-16053

Plugin: OracleDB

Control ID: 5470f3ae963f47e033013579b45104474df8fa1f996adba95497d75c3bbc27e4

Detections

Analytics

DO6750-ORACLE11 - The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP - 'sec_protocol_error_further_action = drop or delay'

Information

Solution

See Also

Item Details