This discussion is archived
8 Replies Latest reply: May 6, 2012 10:26 PM by netguy RSS

Regarding Security patch for listener CVE-2012-1675

868750 Newbie
Currently Being Moderated
Hi all,

Could somebody please explain me on the new security patch released by ORACLE CVE-2012-1675(TNS Listener Poison Attack).

Gone through the metalink ID 1453883.1 and to my understanding, this fix need to be applied where we are using Share Server configurations. But, if we are going for Dedicated Server configuration it's not needed.

Please correct me if I'm wrong and also I'm little bit confused on the below statment from the above mentioned Metalink ID:

+*<Moderator edit - deleted MOS Doc content - pl do not post contents of MOS Docs>*+


Regards,
Kumar
  • 1. Re: Regarding Security patch for listener CVE-2012-1675
    damorgan Oracle ACE Director
    Currently Being Moderated
    Not sure where you got that idea ... read this:
    http://www.joxeankoret.com/download/tnspoison.pdf

    I normally wouldn't post a link such as this but once it hit Ars Technica there wasn't much left to the imagination.
  • 2. Re: Regarding Security patch for listener CVE-2012-1675
    868750 Newbie
    Currently Being Moderated
    Thank you damorgan,


    WIll go through the document.


    Regards,
    Kumar
  • 4. Re: Regarding Security patch for listener CVE-2012-1675
    934517 Newbie
    Currently Being Moderated
    Hi all,
    It seems that for non-RAC a simple workaround exists (see http://www.joxeankoret.com/download/tnspoison.pdf, http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150.html) just by setting
    DYNAMIC_REGISTRATION = OFF (in listener.ora).

    * Can anyone confirm whether or not this works? And if yes, would it work in Oracle 9i? (I can not check it myself, Oracle.com leads me to http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 (for non-RAC), but my Oracle.com account has not enough privileges.
    * And yes, I have checked the Oracle documentation (both 9i and 11g), but that does not really help

    In the documentation I do find a setting DYNAMIC_REGISTRATION _<listener_name> = ..., but not DYNAMIC_REGISTRATION = ...
    So I'm not sure if this setting actually exists, can anyone confirm?
    * And if the setting exists, I did it as below, is this correct, given an instance name XYX?
    Thanks in advance for your help!


    XYZ =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
    )
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    )
    )
    )

    SID_LIST_XYZ =
    (SID_LIST =
    (SID_DESC =
    ...
    (ORACLE_HOME = ...)
    (PROGRAM = extproc)
    (DYNAMIC_REGISTRATION = OFF)
    )
    )
  • 5. Re: Regarding Security patch for listener CVE-2012-1675
    934517 Newbie
    Currently Being Moderated
    Informed by others, it seems that the correct config re my example would be like below, where XYZ is the listener name (not the database or instance name, although these might be equal to the listener name).
    I have not been able to confirm that this actually changes something, as my old-fashioned 9i database listener is not able to show this setting :-(
    A former colleague will try this on newer (10g, 11g) databases and will let me know; I will keep you posted.

    XYZ =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
    )
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    )
    )
    )

    SID_LIST_XYZ =
    (SID_LIST =
    (SID_DESC =
    ...
    (ORACLE_HOME = ...)
    (PROGRAM = extproc)
    )
    )


    DYNAMIC_REGISTRATION_XYZ = off
  • 6. Re: Regarding Security patch for listener CVE-2012-1675
    TC Newbie
    Currently Being Moderated
    The configuration changes posted by Oracle to fix the Poison proroblem do not work for 10g. The changes require patch 12880299, which is a 11g only patch. Oracle will not backport to 10.2.0.3 or 10.2.04. Whether they will backport to 10.2.0.5 is yet to be seen.
  • 7. Re: Regarding Security patch for listener CVE-2012-1675
    934517 Newbie
    Currently Being Moderated
    Exactly which configuration changes do you mean? Those for RAC or those for non-RAC?
    And is this information verified with Oracle?
  • 8. Re: Regarding Security patch for listener CVE-2012-1675
    netguy Newbie
    Currently Being Moderated
    "The configuration changes posted by Oracle to fix the Poison proroblem do not work for 10g. The changes require patch 12880299, which is a 11g only patch. Oracle will not backport to 10.2.0.3 or 10.2.04. Whether they will backport to 10.2.0.5 is yet to be seen."

    ----------------------------

    Patches are available for all supported versions.

    If you are running a stand alone database Version 10.2.0.3 or higher no patch is necessary and it is a very simple configuration (it takes a couple minutes).

    If you are running RAC then the patch is necessary (12880299) but it is still a fairly simple setup following the instructions in the Oracle note.

    cheers

    Edited by: mseibt on May 6, 2012 10:25 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points