Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?

• From: Martin Berger <martin.a.berger@xxxxxxxxx>
• To: dnrg <dananrg@xxxxxxxxx>
• Date: Tue, 8 May 2012 18:56:59 +0200

Dana,

yes, at the moment you make sure DST= _only_ points to the hosts which
are expected to serve SRV, you are protected.
In fact there is a little hole, where someone hijacks the DB-Server
host and instead of attacking the DB directly hijacking the CMAN. But
I'd say in this case there are bigger problems than CMAN.

In the Note mentioned "node1" is the "good one" and "node2" the "hijacker".
If you want to save a CMAN which serves a service from a RAC, you
should add all Listener-IPs of this RAC. (I'd guess only the
hostname-VIP are enough, but I never tested this into details).

I'd say 12880299 is not needed for CMAN at all. if your OID has it's
own listener, apply it in the home for this listener.

hth
 Martin


On Tue, May 8, 2012 at 5:10 PM, dnrg <dananrg@xxxxxxxxx> wrote:
> Thanks Martin. Based on what you said, your blog entry, and MOS ID
> 1455068.1, I believe we may already protected. Unless I'm not understanding
> things correctly. Does the mere presence alone of one or more CMAN rules
> routing traffic to specific instances rule out any hijacking? For example,
> we have rules for each instance having the following form:
>
>  (rule=
>     (src=*)
>     (dst=<host containing oracle database of interest)
>     (srv=<fully qualified service name of instance>)
>     (act=accept)
>
> The Node 1 and Node 2 verbiage in the MOS note I don't fully understand.
> What does it mean to have more than one "node" in this context? Some RAC
> tie-in? Failover / multiple CMAN instances? (we have a few).
>
> I have a follow-on question; not sure if this should be a reply to other
> pre-existing posts on this vulnarability or create a new one. Any
> suggestions?
> Anyway, I'm trying to apply patch 12880299 to an 11.2.0.3 Linux-x86 box used
> only for CMAN and OID. There is no ASM / Grid Infrastructure. The host has
> both a "client home" and a "db home". And the listener runs out of the
> client home. On page 1 of the READ ME, Product Patched lists "RDBMS, ASM."
> Again, no ASM here.
>
> So my question is this:
>
> Do I apply the patch only to the "client home" since that's where the
> listener runs from? Or would it also be necessary to apply the patch again
> to the 11g database home?
>
--
//www.freelists.org/webpage/oracle-l

• References:
  • Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?
    • From: dnrg
  • Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?
    • From: Martin Berger
  • Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?
    • From: dnrg

Other related posts:

• » Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?- dnrg
• » Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?- Martin Berger
• » Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?- dnrg
• » Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc? - Martin Berger

1. Home
2. oracle-l
3. Archive
4. 05-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---