This content has been marked as final. Show 7 replies
Your statement: "not enough" has no meaning without an explanation.
Surely the remote users are not on the same subnet as the local users.
I don't understand why it wouldn't be but assuming that is the case I would create an AFTER LOGON system event trigger, look at a variety of values available using SYS_CONTEXT and then raise an exception if any issue was found.
MarkusM give me a wonderful solution:
*Using Class of Secure Transport (COST) to Restrict Instance Registration with SCAN listeners [ID 1340831.1]*
Oracle Security Alert for CVE-2012-1675 ## added
I hope it help others.
Edited by: Levi Pereira on May 7, 2012 2:37 PM
Yes, I posted about that 4 days ago:
Re: Local Listener Validity in 11gR2
I have not yet had an opportunity test it, have you successfully tested the procedures? Basically it forces all registration event to occur over IPC/TCPS. I have seen the original test case for this, and while yes, it is true that you can connect if this is not in place, it is a very complex man-in-the-middle vulnerability requiring access to your [hopefully firewalled] database server.
Yes. I already applied this security in all environments that I manage. This procedure works and solve the problem, although this is not the final solution, because this solution are using features (Oracle Advanced Security SSL/TLS) that can be used only in the Enterprise Version.
BTW conversing with some people from Oracle, they told me that soon this will be solved with a simpler solution.