8 Replies Latest reply: May 7, 2012 12:26 AM by netguy-Oracle RSS

    Regarding Security patch for listener CVE-2012-1675

    868750
      Hi all,

      Could somebody please explain me on the new security patch released by ORACLE CVE-2012-1675(TNS Listener Poison Attack).

      Gone through the metalink ID 1453883.1 and to my understanding, this fix need to be applied where we are using Share Server configurations. But, if we are going for Dedicated Server configuration it's not needed.

      Please correct me if I'm wrong and also I'm little bit confused on the below statment from the above mentioned Metalink ID:

      +*<Moderator edit - deleted MOS Doc content - pl do not post contents of MOS Docs>*+


      Regards,
      Kumar
        • 1. Re: Regarding Security patch for listener CVE-2012-1675
          damorgan
          Not sure where you got that idea ... read this:
          http://www.joxeankoret.com/download/tnspoison.pdf

          I normally wouldn't post a link such as this but once it hit Ars Technica there wasn't much left to the imagination.
          • 2. Re: Regarding Security patch for listener CVE-2012-1675
            868750
            Thank you damorgan,


            WIll go through the document.


            Regards,
            Kumar
            • 4. Re: Regarding Security patch for listener CVE-2012-1675
              934517
              Hi all,
              It seems that for non-RAC a simple workaround exists (see http://www.joxeankoret.com/download/tnspoison.pdf, http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150.html) just by setting
              DYNAMIC_REGISTRATION = OFF (in listener.ora).

              * Can anyone confirm whether or not this works? And if yes, would it work in Oracle 9i? (I can not check it myself, Oracle.com leads me to http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 (for non-RAC), but my Oracle.com account has not enough privileges.
              * And yes, I have checked the Oracle documentation (both 9i and 11g), but that does not really help

              In the documentation I do find a setting DYNAMIC_REGISTRATION _<listener_name> = ..., but not DYNAMIC_REGISTRATION = ...
              So I'm not sure if this setting actually exists, can anyone confirm?
              * And if the setting exists, I did it as below, is this correct, given an instance name XYX?
              Thanks in advance for your help!


              XYZ =
              (DESCRIPTION_LIST =
              (DESCRIPTION =
              (ADDRESS_LIST =
              (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
              )
              (ADDRESS_LIST =
              (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
              )
              )
              )

              SID_LIST_XYZ =
              (SID_LIST =
              (SID_DESC =
              ...
              (ORACLE_HOME = ...)
              (PROGRAM = extproc)
              (DYNAMIC_REGISTRATION = OFF)
              )
              )
              • 5. Re: Regarding Security patch for listener CVE-2012-1675
                934517
                Informed by others, it seems that the correct config re my example would be like below, where XYZ is the listener name (not the database or instance name, although these might be equal to the listener name).
                I have not been able to confirm that this actually changes something, as my old-fashioned 9i database listener is not able to show this setting :-(
                A former colleague will try this on newer (10g, 11g) databases and will let me know; I will keep you posted.

                XYZ =
                (DESCRIPTION_LIST =
                (DESCRIPTION =
                (ADDRESS_LIST =
                (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
                )
                (ADDRESS_LIST =
                (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
                )
                )
                )

                SID_LIST_XYZ =
                (SID_LIST =
                (SID_DESC =
                ...
                (ORACLE_HOME = ...)
                (PROGRAM = extproc)
                )
                )


                DYNAMIC_REGISTRATION_XYZ = off
                • 6. Re: Regarding Security patch for listener CVE-2012-1675
                  TC
                  The configuration changes posted by Oracle to fix the Poison proroblem do not work for 10g. The changes require patch 12880299, which is a 11g only patch. Oracle will not backport to 10.2.0.3 or 10.2.04. Whether they will backport to 10.2.0.5 is yet to be seen.
                  • 7. Re: Regarding Security patch for listener CVE-2012-1675
                    934517
                    Exactly which configuration changes do you mean? Those for RAC or those for non-RAC?
                    And is this information verified with Oracle?
                    • 8. Re: Regarding Security patch for listener CVE-2012-1675
                      netguy-Oracle
                      "The configuration changes posted by Oracle to fix the Poison proroblem do not work for 10g. The changes require patch 12880299, which is a 11g only patch. Oracle will not backport to 10.2.0.3 or 10.2.04. Whether they will backport to 10.2.0.5 is yet to be seen."

                      ----------------------------

                      Patches are available for all supported versions.

                      If you are running a stand alone database Version 10.2.0.3 or higher no patch is necessary and it is a very simple configuration (it takes a couple minutes).

                      If you are running RAC then the patch is necessary (12880299) but it is still a fairly simple setup following the instructions in the Oracle note.

                      cheers

                      Edited by: mseibt on May 6, 2012 10:25 PM