Oracle TNS Poison Vulnerability

解决这个问题时alert-cve-2012-1675-1608180:Oracle Security Alert for CVE-2012-1675的记录, 直接从Send Items里摘出来自己的部分:


http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

 

I think that’s a known securityissue as thus [alert-cve-2012-1675-1608180OracleSecurity Alert for CVE-2012-1675]

 
Affected Products and Versions
·        Oracle Database 11g Release 2, versions 11.2.0.2,11.2.0.3
·        Oracle Database 11g Release 1, version 11.1.0.7
·        Oracle Database 10g Release 2, versions 10.2.0.3,10.2.0.4, 10.2.0.5
 
 
Solution
 
Recommendations for protecting against this vulnerability can befound at:
·        My Oracle Support Note 1340831.1 for Oracle Databasedeployments that use Oracle Real Application Clusters (RAC).
·        My Oracle Support Note 1453883.1 for Oracle Databasedeployments that do not use RAC.
Please note that Oracle has added Oracle Advanced Security SSL/TLSto the Oracle Database Standard Edition license when used with the RealApplication Clusters and Oracle has added Oracle Advanced Security SSL/TLS tothe Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Nodeoptions so that the directions provided in the Support Notes referenced abovecan be applied by all Oracle customers without additional cost.
Note: Pleaserefer to the Oracle licensing documentation available on Oracle.com regardinglicensing changes that allow Oracle Advanced Security SSL/TLS to be used withOracle SE Oracle Real Application Clusters and Oracle Enterprise Edition RealApplication Customers (Oracle RAC) and Oracle RAC OneNode Options.
Due to thethreat posed by a successful attack, Oracle strongly recommends that customersapply this Security Alert solution as soon as possible.
 




Better than using workarounds is to patch thevulnerability[CVE-2012-1675].

However, you could do as thus if you were concerned to restartoracle:


 
Possible workarounds
--------------------
 
There are many possible workarounds. The easier one is to set the
following parameter in the listener.ora configuration file:
dynamic_registration = off.
 
But, sometimes, you don‘t want to apply this workaround. Inexample, if
you have an Oracle RAC cluster, all the cluster‘s instances mustbe
registered in both TNS Listeners so, this workaround is notsuitable for
Oracle RAC clusters. To apply this workaround with Oracle RAC
environments one needs to implement load balancing at the clientside,
changing all the client‘s tnsnames.ora configuration file to addthe
complete list of Oracle RAC nodes.
 
However, there is another possible workaround that, sometimes, is
suitable for Oracle RAC environments. Edit the file protocol.oraor, for
older versions, sqlnet.ora, at the server side and add thefollowing
directives:
 
  TCP.VALIDNODE_CHECKING = YES
  TCP.INVITED_NODE =(Comma,separated,list,of,ALL,valid,clients, ...)
 
But, anyway, this workaround doesn‘t prevent valid clients frombeing
used as proxies. Valid clients can still exploit the vulnerability
regardless the VALIDNODE_CHECKING directive added as the client isa
valid node.
 
Then again, there is one more suitable workaround: If customerbought
(and enabled) Oracle Advanced Security feature clients can beconfigured
to use SSL/TLS. Thus, at both client and server side, thefollowing
parameters must be changed in protocol.ora or sqlnet.ora:
 
  Client side: SQLNET.ENCRYPTION_CLIENT=REQUIRED
  Server side: SQLNET.ENCRYPTION_SERVER=REQUIRED
 
The value of these configuration directives must be REQUIRED andnot
REQUESTED, as is pretty common, otherwise the attacker can answerto the
connection attempt answering that no SSL cipher is supported atthe
server side (as the attacker‘s controlled box is for the clientthe
trusted database‘s server) and the client will reconnect withoutusing
SSL.




Here is more information aboutit…

http://seclists.org/fulldisclosure/2012/Apr/204

 

Then I did a easy way...

 

suneng23:/export/home/sfuser>lsnrctl
 
LSNRCTL for Solaris: Version11.2.0.3.0 - Production on 28-FEB-2014 02:05:56
 
Copyright (c) 1991, 2011,Oracle.  All rights reserved.
 
Welcome to LSNRCTL, type"help" for information.
 
LSNRCTL> setdynamic_registration off
Connecting to(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
LISTENER parameter"dynamic_registration" set to OFF
The command completedsuccessfully
LSNRCTL>  setsave_config_on_stop on
Connecting to(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
LISTENER parameter"save_config_on_stop" set to ON
The command completedsuccessfully
LSNRCTL> exit



Oracle TNS Poison Vulnerability,布布扣,bubuko.com

Oracle TNS Poison Vulnerability

上一篇:微信企业号开发之-如何获取secret 序列号


下一篇:Photoshop 一款逼真的小型MP3