3 Replies Latest reply: May 9, 2014 3:45 AM by Balaji Desai RSS

    XE database identified for Oracle TNS Listener Remote Poisoning vulnerability

    Balaji Desai

      We have Oracle XE 11.2.0.2 installed on windows 2003 server. The TNS listener was identified to have "Oracle TNS Listener Remote Poisoning" (CVE-2012-1675) security vulnerability issue.

      We tried workarounds suggested by Oracle, but none are working.

       

      1. Set Dynamic Registration of instance off - It does not work since we are using Oracle Apex.

      2. Set SECURE_REGISTER parameter to restrict registration to IPC protocol. However, we observe that database does not get registered into listener after enabling this parameter.

      3. We cannot set SECURE_LISTENER parameter to restrict registration to TCP protocol since it requires patch to be applied to Database. We cannot apply patches to Oracle XE.

       

      So, how can we address this issue of CVE-2012-1675 security vulnerability ?

       

      Thanks and Regards,

       

      Balaji Desai