Re: Question on Oracle Security Alert for CVE-2012-1675
- From: "Radoulov, Dimitre" <cichomitiko@xxxxxxxxx>
- To: "Uzzell, Stephan" <SUzzell@xxxxxxxxxx>
- Date: Wed, 2 May 2012 17:51:47 +0200
Hi Stephan,
thank you very much!
That is exactly what I was looking for.
There is note in the official site too (bit.ly/Ju8NB4, right below the
MOS note reference):
------------------------------------------------------------------------------------------------------------------------------
Please note that Oracle has added Oracle Advanced Security SSL/TLS to
the Oracle Database Standard Edition license when used with the Real
Application Clusters and Oracle has added Oracle Advanced Security
SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle
RAC) and RAC One Node options so that the directions provided in the
Support Notes referenced above can be applied by all Oracle customers
without additional cost.
------------------------------------------------------------------------------------------------------------------------------
Best regards
Dimitre
On Wed, May 2, 2012 at 5:45 PM, Uzzell, Stephan <SUzzell@xxxxxxxxxx> wrote:
> Hi Dimitre,
>
> See https://blogs.oracle.com/security/entry/security_alert_for_cve_2012 :
>
> " Note that implementing COST restrictions in RAC environments require the
> use of SSL/TLS encryption. Such network encryption features were previously
> only available to customers who were licensed for Oracle Advanced Security.
> However, RAC customers who were previously not licensed for Oracle Advanced
> Security need not be concerned about a licensing restriction as Oracle has
> updated its licensing to allow these customers a restricted use of these
> features (namely SSL and TLS) to protect themselves against vulnerability
> CVE-2012-1675. In other words, Oracle has added Oracle Advanced Security
> SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and
> RAC One Node options, and added Oracle Advanced Security SSL/TLS to the
> Oracle Database Standard Edition license when used with the Real Application
> Clusters."
>
> Stephan Uzzell
>
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
> Behalf Of Radoulov, Dimitre
> Sent: Wednesday, 02 May, 2012 11:42
> To: martin.a.berger@xxxxxxxxx
> Cc: ksmadduri@xxxxxxxxx; oracle Freelists
> Subject: Re: Question on Oracle Security Alert for CVE-2012-1675
>
> Hi,
> if I am reading Note 1340831.1 correctly, in order to secure the
> communication between pmon and the scan listeners, we'll need to use SSL.
>
> There is a note about _licensing changes_:
>
> --------------------------------------------------------------
>
> Please refer to the Oracle licensing documentation available on Oracle.com
> regarding licensing changes that allow Oracle Advanced Security SSL/TLS to be
> used with Oracle SE Oracle Real Application Clusters and Oracle Enterprise
> Edition Real Application Customers (Oracle RAC) and Oracle RAC OneNode
> Options.
>
> --------------------------------------------------------------
>
> I am trying to understand if we need to buy the Advanced Security option in
> order to fix the issue (I hope we don't ...).
>
> Can anybody throw some light on this?
>
>
> Thanks
> Dimitre
>
>
>
>
> On Wed, May 2, 2012 at 3:48 PM, Martin Berger <martin.a.berger@xxxxxxxxx>
> wrote:
>> Hi Kumar,
>>
>> even untested,
>> yes, that is enough.
>>
>> for local listener
>> SECURE_REGISTER_LISTENER = (TCP)
>> is the same in both documents (it's just more widely explained in 1453883.1).
>>
>> as this is a real new topic and many are interested in it's details,
>> please share all your findings?
>>
>> Martin
>>
>> On Wed, May 2, 2012 at 9:24 AM, Kumar Madduri <ksmadduri@xxxxxxxxx> wrote:
>>> Hi
>>> Two notes are given for applying the fix for this alert (one for rac
>>> and another for non-rac).
>>> We dont use scan listeners on a 2 node rac. So after reading the note
>>> 1340831.1, I think the steps listed for scan listeners are not
>>> required (creating wallet and other steps that follow).
>>> In this case note 1453883.1 (for non-rac) is applicable for rac as well.
>>> I am going to re-read the notes again and raise SR if required but
>>> thought about checking with the list as well.
>>>
>>>
>>> Thank you
>>> Kumar
>>>
>>>
>>> --
>>> //www.freelists.org/webpage/oracle-l
>> --
>> //www.freelists.org/webpage/oracle-l
>>
>>
> --
> //www.freelists.org/webpage/oracle-l
>
>
--
//www.freelists.org/webpage/oracle-l
Other related posts:
