This content has been marked as final. Show 7 replies
Your statement: "not enough" has no meaning without an explanation.
Surely the remote users are not on the same subnet as the local users.
I don't understand why it wouldn't be but assuming that is the case I would create an AFTER LOGON system event trigger, look at a variety of values available using SYS_CONTEXT and then raise an exception if any issue was found.
alter system set remote_listener='' sid='ORCL1';
another parameter where one can [optionally] specify remote listener(s) is listener_networks
I'm checking a possible vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password.
Thank you, but it's not the case.
I want to control on the listener (i.e Getting a way of Listener does not allow some database instance register on the listener).
MarkusM give me a wonderful solution:
*Using Class of Secure Transport (COST) to Restrict Instance Registration with SCAN listeners [ID 1340831.1]*
Oracle Security Alert for CVE-2012-1675 ## added
I hope it help others.
Edited by: Levi Pereira on May 7, 2012 2:37 PM
Yes, I posted about that 4 days ago:
Re: Local Listener Validity in 11gR2
I have not yet had an opportunity test it, have you successfully tested the procedures? Basically it forces all registration event to occur over IPC/TCPS. I have seen the original test case for this, and while yes, it is true that you can connect if this is not in place, it is a very complex man-in-the-middle vulnerability requiring access to your [hopefully firewalled] database server.
Yes. I already applied this security in all environments that I manage. This procedure works and solve the problem, although this is not the final solution, because this solution are using features (Oracle Advanced Security SSL/TLS) that can be used only in the Enterprise Version.
BTW conversing with some people from Oracle, they told me that soon this will be solved with a simpler solution.