2.2.14 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'

Information

The SQL92_SECURITY parameter setting TRUE requires that a user must also be granted the SELECT object privilege before being able to perform UPDATE or DELETE operations on tables that have WHERE or SET clauses. The setting should have a value of TRUE.

A user without SELECT privilege can still infer the value stored in a column by referring to that column in a DELETE or UPDATE statement. This setting prevents inadvertent information disclosure by ensuring that only users who already have SELECT privilege can execute the statements that would allow them to infer the stored values.

Solution

To remediate this setting, execute the following SQL statement.

ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;

See Also

https://workbench.cisecurity.org/benchmarks/11760

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OracleDB

Control ID: e3a32a9700d1a1fe85b69f7dfa71aac7cda5f86daa7b7d4b8941f79a5cd51f91