V-270584
Oracle Database 19c Security Technical Implementation Guide
Title
Oracle Database must restrict error messages so only authorized personnel may view them.
Description
<VulnDiscussion>Any database management system (DBMS) or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal inform...
Fix Text (Documentation Requirement)
For each end-user-facing application that displays DBMS-generated error messages, configure or recode it to suppress these messages. If the application is coded in Oracle PL/SQL, the EXCEPTION block can be used to suppress or divert error messages. Most other programming languages provide comparable facilities, such as TRY ... CATCH. For each unauthorized user of each tool, remove the ability to access it. For each tool where access to DBMS error messages is not required and can be configured, suppress the messages. For each role/user that needs access to the error messages or needs a tool where the messages cannot be suppressed, document the need in the system documentation.