AWS AmazonRDS documentation change
Summary
Improved verification method for Oracle Native Network Encryption (NNE)
Security assessment
Enhances documentation for verifying encryption status using V$SESSION_CONNECT_INFO instead of SYS_CONTEXT, improving accuracy of security feature validation but not fixing a vulnerability.
Diff
diff --git a/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.md b/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.md index 6cc16ae70..5ae1970eb 100644 --- a//AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.md +++ b//AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.md @@ -38 +38 @@ You can use Native Network Encryption or Secure Sockets Layer, but not both. For -After connecting to your DB instance, run the following query to confirm your session is encrypted: +After connecting to your DB instance, query `V$SESSION_CONNECT_INFO` for your session to confirm that native network encryption is active: @@ -41,3 +41,3 @@ After connecting to your DB instance, run the following query to confirm your se - SELECT SYS_CONTEXT('USERENV', 'NETWORK_PROTOCOL') AS PROTOCOL, - SYS_CONTEXT('USERENV', 'ENCRYPTION_TYPE') AS ENCRYPTION - FROM DUAL; + SELECT NETWORK_SERVICE_BANNER + FROM V$SESSION_CONNECT_INFO + WHERE SID = SYS_CONTEXT('USERENV', 'SID'); @@ -45 +45 @@ After connecting to your DB instance, run the following query to confirm your se -If NNE is active, the `ENCRYPTION` column shows the algorithm in use (for example, `AES256`). If it shows blank or NULL, the connection is not encrypted. +If NNE is active, the results include a banner that contains `encryption service adapter`. The banner text shows the negotiated algorithm, for example `AES256`. If checksumming is also enabled, the results include a `crypto-checksumming service adapter` banner. If the query returns no encryption service adapter banner, the connection is not using native network encryption.