Oracle 11.2.0.4 单实例和RAC修复方案
随着对网络安全的进一步重视,Oracle TNS 监听器远程中毒漏洞(CVE-2012-1675)被列为了高危漏洞,需要进行漏洞修复。
从Oracle 11.2.0.4开始,Oracle 引入了Valid Node Checking For Registration(VNCR)新特性,可以通过配置参数VALID_NODE_CHECKING_REGISTRATION_LISTENER来修复该漏洞。
1. 修复Oracle TNS 监听器远程中毒漏洞
1.1 修改监听文件
vi $ORACLE_HOME/network/admin/listener.ora # listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora # Generated by Oracle configuration tools. SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ods) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1) (SID_NAME = ods) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = IP或主机名)(PORT = 1521)) # (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) --注释掉,一般不会使用ipc,绝大部分应用使用tcp连接数据库 ) ) ADR_BASE_LISTENER = /u01/app/oracle # 单实例只需要新增下面这一行就OK VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 # RAC需要新增下面三行,有多少个LISTENER_SCAN监听就添加几个 VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(添加rac节点的所有public IP,包括主机IP,VIP,SCANIP)
1.2 重新加载监听
lsnrctl reload
lsnrctl reload listener_scan1 # RAC实例还需要执行该命令
2. 验证漏洞修复情况
2.1. 注释VNCR规则验证监听情况
2.1.1. 注释掉listener.ora文件中的VNCR规则
# 单实例 # VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 # RAC # VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON # VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON # REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(所有的节点的所有public IP)
2.1.2. 并重新reload监听
lsnrctl reload
lsnrctl reload listener_scan1 # RAC实例还需要执行该命令
2.1.3. 在其他数据库上设置remote_listener
SQL> show parameter remote_listener SQL> alter system set remote_listener=‘(ADDRESS = (PROTOCOL = TCP)(HOST =ip)(PORT = 1521))‘ scope=memory; SQL> show parameter remote_listener SQL> alter system register;
2.1.4. 查看监听服务信息
查看监听服务信息中是否有“REMOTE SERVER”字样,该字样就是有该漏洞信息的标志:
$ lsnrctl services listener LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 04-SEP-2019 17:16:55 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))) Services Summary... Service "TESTDB" has 1 instance(s). Instance "TESTDB", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 state:blocked REMOTE SERVER (ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)) Service "ods" has 2 instance(s). Instance "ods", status UNKNOWN, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 LOCAL SERVER Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:2 refused:0 state:ready LOCAL SERVER Service "odsXDB" has 1 instance(s). Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "D000" established:0 refused:0 current:0 max:1022 state:ready DISPATCHER <machine: localhost, pid: 18481> (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=29037)) The command completed successfully
2.1.5. 查看监听日志
04-SEP-2019 17:16:55 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ip)(USER=oracle))(COMMAND=services)(ARGUMENTS=64)(SERVICE=listener)(VERSION=186647552)) * services * 0 Wed Sep 04 17:17:21 2019 04-SEP-2019 17:17:21 * service_update * testdb * 0 Wed Sep 04 17:17:51 2019 04-SEP-2019 17:17:51 * service_update * testdb * 0 04-SEP-2019 17:17:54 * service_update * testdb * 0 04-SEP-2019 17:17:57 * service_update * testdb * 0 Wed Sep 04 17:18:21 2019 04-SEP-2019 17:18:21 * service_update * testdb * 0
以上信息说明有远程注册的的testdb。
2.2. 生效VNCR规则验证监听情况
2.2.1. 生效VNCR规则
# 单实例 VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 # RAC VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(所有的节点的所有public IP)
2.2.2. 重新加载监听
lsnrctl reload
lsnrctl reload listener_scan1 # RAC实例还需要执行该命令
2.2.3. 在另一台数据库操作
执行快速动态监听注册命令,因之前已经设置了remote server这里不需要在重新设置了,只需要执行alter system register命令即可。
SQL> alter system register;
2.2.4. 查看监听服务信息
通过查看下面的监听服务信息,已经没有“REMOTE SERVER”字样,说明此时漏洞已修复:
$ lsnrctl services listener LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 04-SEP-2019 17:26:12 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost(PORT=1521))) Services Summary... Service "ods" has 2 instance(s). Instance "ods", status UNKNOWN, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 LOCAL SERVER Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:3 refused:0 state:ready LOCAL SERVER Service "odsXDB" has 1 instance(s). Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "D000" established:0 refused:0 current:0 max:1022 state:ready DISPATCHER <machine: xxptods, pid: 18481> (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=29037)) The command completed successfully
2.2.5. 查看监听日志
在下面的监听日志中可以看到拒绝了远程监听注册服务
Wed Sep 04 17:25:15 2019 Listener(VNCR option 1) rejected Registration request from destination 10.0.100.7 04-SEP-2019 17:25:15 * service_register_NSGR * 1182 TNS-01182: Listener rejected registration of service ""
3. 补充说明
3.1. VALID_NODE_CHECKING_REGISTRATION_listener_name
listener_name: 为监听的名字
参数取值:
-
OFF/0 表示禁用VNCR,此功能不会对注册过来的service进行check
-
ON/1/LOCAL 表示启用VNCR,默认只允许本机的所有IP的服务注册到本监听,可通过REGISTRATION_INVITED_NODES参数添加其他有必要的服务器
-
SUBNET/2 表示指定子网内的服务器可以注册过来
3.2. REGISTRATION_INVITED_NODES_listener-name
该参数控制允许链接过来的节点,可以通过IP地址/主机名/网段来指定
For example:REGISTRATION_INVITED_NODES_Listener=(net-vm1, 127.98.45.209, 127.42.5.*)
Note: that when an INVITED list is set, it will automatically include the machine’s local IP in the list. There is no need to include it.
3.3. 11.2.0.4和12c区别之处
在12.1 RAC数据库上,listener的参数VALID_NODE_CHECKING_REGISTRATION_listener_name 默认设置为 SUBNET / 2,即子网中的所有计算机都允许注册.所以12c默认不能解决CVE-2012-1675漏洞
4. 参考文档
Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)