Could somebody please explain me on the new security patch released by ORACLE CVE-2012-1675(TNS Listener Poison Attack).
Gone through the metalink ID 1453883.1 and to my understanding, this fix need to be applied where we are using Share Server configurations. But, if we are going for Dedicated Server configuration it's not needed.
Please correct me if I'm wrong and also I'm little bit confused on the below statment from the above mentioned Metalink ID:
+*<Moderator edit - deleted MOS Doc content - pl do not post contents of MOS Docs>*+
It seems that for non-RAC a simple workaround exists (see http://www.joxeankoret.com/download/tnspoison.pdf, http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150.html) just by setting
DYNAMIC_REGISTRATION = OFF (in listener.ora).
* Can anyone confirm whether or not this works? And if yes, would it work in Oracle 9i? (I can not check it myself, Oracle.com leads me to http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 (for non-RAC), but my Oracle.com account has not enough privileges.
* And yes, I have checked the Oracle documentation (both 9i and 11g), but that does not really help
In the documentation I do find a setting DYNAMIC_REGISTRATION _<listener_name> = ..., but not DYNAMIC_REGISTRATION = ...
So I'm not sure if this setting actually exists, can anyone confirm?
* And if the setting exists, I did it as below, is this correct, given an instance name XYX?
Thanks in advance for your help!
Informed by others, it seems that the correct config re my example would be like below, where XYZ is the listener name (not the database or instance name, although these might be equal to the listener name).
I have not been able to confirm that this actually changes something, as my old-fashioned 9i database listener is not able to show this setting :-(
A former colleague will try this on newer (10g, 11g) databases and will let me know; I will keep you posted.
The configuration changes posted by Oracle to fix the Poison proroblem do not work for 10g. The changes require patch 12880299, which is a 11g only patch. Oracle will not backport to 10.2.0.3 or 10.2.04. Whether they will backport to 10.2.0.5 is yet to be seen.
"The configuration changes posted by Oracle to fix the Poison proroblem do not work for 10g. The changes require patch 12880299, which is a 11g only patch. Oracle will not backport to 10.2.0.3 or 10.2.04. Whether they will backport to 10.2.0.5 is yet to be seen."
Patches are available for all supported versions.
If you are running a stand alone database Version 10.2.0.3 or higher no patch is necessary and it is a very simple configuration (it takes a couple minutes).
If you are running RAC then the patch is necessary (12880299) but it is still a fairly simple setup following the instructions in the Oracle note.