V-270513

SV-270513r1138543_rule

CAT I

Oracle Database products must be a version supported by the vendor.

From: Oracle Database 19c Security Technical Implementation Guide (V1R5)

Description

<VulnDiscussion>Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information. From SQL*Plus: Select version from v$instance; Access the vendor website or use other means to verify the version is still supported. Oracle Release schedule: https://support.oracle.com/knowledge/Oracle%20Database%20Products/742060_1.html If the Oracle version or any of the software components are not supported by the vendor, this is a finding.

Fix Text

Remove or decommission all unsupported software products. Upgrade unsupported DBMS or unsupported components to a supported version of the product.

CCI Reference

CCI-003376

Created: 2026-04-07 20:08:29
Last Updated: 2026-04-07 20:08:29