Re: Oracle Security Alert for CVE-2012-1675 - 10g extended support
- From: dnrg <dananrg@xxxxxxxxx>
- To: "wts@xxxxxxxxx" <wts@xxxxxxxxx>, oracle Freelists <Oracle-L@xxxxxxxxxxxxx>
- Date: Fri, 11 May 2012 12:03:38 -0700 (PDT)
Here are some findings I have so far for this vulnerability. Maybe it will help
others. All systems mentioned are non-RAC:
* Opened an SR to ask about patch 12880299 availability for 10.2.0.X on Linux
Itanium. Was told none would be released and to use the IPC fix. Tested and it
worked fine.
* Patch 12880299 worked great on 11.2.0.3.2 x86-64 platforms.
* Patch 12880299 didn't work at all on 11.2.0.2.6 x86-64 platforms. The patch
installs but the protective behavior does not manifest. This wasn't expected,
so I used the IPC fix. That worked as expected.
IPC FIX
======
For the general IPC fix, when you add the following items to your listener.ora,
bounce your listener, then do a LSNRCTL> status and LSNRCTL> services, no
service handlers will be registered. Not even local ones (except perhaps for an
EXTPROC handler). Definitely no Oracle instances. This should prove to you that
the SECURE_REGISTER_LISTENER = (IPC) directive is being honored. Take a
screenshot perhaps of your listener status / services before bouncing the
listener. So you'll know everything you expect to see has returned after the
fix.
1) Add this as another "ADDRESS" list item, where "MyKeyHere" can evidently be
whatever you'd like:
(ADDRESS = (PROTOCOL = IPC) (KEY = MyKeyHere))
Then add: SECURE_REGISTER_LISTENER = (IPC)
beneath your listener definition. Where _LISTENER is the actual name of your
listener.
LISTENER (DESCRIPTION_LIST (ADDRESS = (PROTOCOL = IPC) (KEY = MyKeyHere))
(DESCRIPTION (ADDRESS = (PROTOCOL = TCP)(HOST =
<YourListenerHostNameHere>)(PORT = <whichever port # you use>))
)
)
SECURE_REGISTER_LISTENER = (IPC)
2) After you've bounced your listener and see no instances registered, logon to
each Oracle instance running on the same host and do the following. Be sure to
use the same key value you specified in your listener.ora.
show parameter local_listener
alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)
(KEY=MyKeyHere)))' scope = both;
show parameter local_listener
3) Go back to your listener and run a LSNRCTL> services. You should see all the
local instances you expect. All will have a designator of LOCAL SERVER. If you
see any handlers with REMOTE SERVER something's wrong.
If in the future you add new instances to the host, you'll need to set
LOCAL_LISTENER as above for each one.
* If you go the patch 12880299 route for non-RAC, you test if the patch is
successful, at the very end of all the steps, by logging into an Oracle
instance on a different host than the protected listener and doing the
following:
show parameter REMOTE_LISTENER
... or grab the pre-test value as follows:
select value from v$spparameter where name = 'remote_listener';
alter system set REMOTE_LISTENER='(ADDRESS=(PROTOCOL=TCP)(HOST=<protected
listener host name>)(PORT=<####>))' scope=memory;
show parameter REMOTE_LISTENER
And maybe an: "alter system register" to force a registration attempt.
Then go to the host with your protected listener and inspect the listener.ora
file. On *nix you could have already opened it with a "tail -f listener.log".
You should see an error something like the following:
<Date/Time here> * service_register_NSGR
* 1194
TNS-01194: The listener command
did not arrive in a secure transport
Also do a LSRNCTL> services to ensure you only see service handled
designated as LOCAL SERVER and not REMOTE SERVER.
After the test, be sure to "alter system set REMOTE_LISTENER" back to its
original value for your remote instance.
Hope this helps.
Dana
--
//www.freelists.org/webpage/oracle-l
Other related posts:
