TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

Similar Messages

• Oracle Security Alert for CVE-2012-1675

  Hi,
  I want to know more about recent release "Oracle Security Alert" : http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Document available in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Fix is about Class of Secure Transport (COST). I need to know about elaborate steps to find out whether this change is need to apply to my databases or not.
  About my DBs : 10.2.4 , AIX, Nondefault Listener, Shared env , non RAC, local_listener is null & running in pfile.
  Thx,
  Gowin.

  Hello;
  Apply it. Very clean. Simple. No outage on Non-RAC. Biggest Impact is listener stop and start. Took about 3 minutes per server.
  Tested today and had zero issues. ( Assumed you understood a CONNECT was part of the test ). Zero issues.
  Had a thread on this here a few days ago :
  Oracle TNS Poison vulnerability
  See Oracle Support Note 1453883.1 for additional information.
  Best Regards
  mseberg
  With all due respect this isn't very hard. Make a decision.
  Edited by: mseberg on May 2, 2012 7:13 AM

• IOracle Security Alert for CVE-2012-1675 Released April 30th, 2012.

  Kinldy let me know how ill I down load the patch for this . Currently we have Oracle DB on versions 10.2.0.4, 10.1.0 , 11.2.0.3 in RAC. Do we need to apply the patch for all these databases. I have no applied any patches after Oracle is installed , Can I update this patch directly or i need to apply the pervious patches before this
  I am a beginner and not a DBA , but i need to support the db also as part of application suppot. Kiindly help

  Patches are only available at Oracle's support site - https://support.oracle.com - access to which is granted only if you have a support contract with Oracle.
  After you download the patch(es), follow the steps in the README
  HTH
  Srini

• Java error - Oracle Security Alert for CVE-2010-4476

  I have come across this security alert described at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.htm l
  In summary - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.
  This vulnerability affects:
  Java SE
  JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
  JDK 5.0 Update 27 and earlier for Solaris 9
  SDK 1.4.2_29 and earlier for Solaris 8
  Java for Business
  JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
  JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
  SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
  Java for MacOS X 10.6 update 3 updates Java to SE 6 to version 1.6.0_22.
  Is anyone aware of new Java update for Mac that will fix this problem? If one doesn't exist, does anyone know when a new update will be available?
  Thanks.

  Hi Hussein,
  have you applied this? Please can you update?
  Our environment: 11.5.10.2 (9.2.0.7)running on HP-UX PARISC. We are using Jinitiator. We are not yet migrated to J2SE Plugin.
  So, since the sercurity patch is for JRE, is that still required for our environment?
  Please advise?
  Edited by: oraDBA2 on Feb 13, 2011 9:12 PM

• TNS Listener Poison Attack...externally or internally ?

  Hello all,
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?
  Oracle TNS Poison vulnerability

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• TNS Listener Poison attack

  Hi Gurus,
  Recently i came across an alert from Oracle, which talks about TNS Listener Poison attack in Oracle database environment, which i do not understand how can someone attack the listener and get access to the database. is it possible to provide a scenario as an example.
  Thanks in advance.

  TNS Listener Poison Attack
  The Oracle database server has a separate network connection process that usually operates on TCP port 1521. The database registers as a listener with this process and the process forwards the client requests on to the actual database system that handles the requested database instance.
  Since version 8i, these network connection processes can register additional listeners. Such a listener can even be registered for an existing database instance. The active listener interprets this as a new Oracle Real Application Clusters (RAC) node and uses the new listener to implement load balancing. In other words: every second database connection will be routed via the new listener.
  This security hole is particularly serious "because it allows remote and unauthenticated attackers to redirect the database's network traffic on the database server to an arbitrary server and then intercept it. All they need to know is the Oracle SID or Oracle service name."
  Immediate solution for non-cluster envernment:
  dynamic_registration_<listener> = off
  For Example:
  Step 1
  ======
  LSNRCTL> show dynamic_registration
  Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=XS2.WORLD))
  LISTENER parameter "dynamic_registration" set to ON
  The command completed successfully
  Step 2
  ======
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521))
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = PLSExtProc)
  (ORACLE_HOME = /u01/app/oracle/product/11.2.0.2)
  (PROGRAM = extproc)
  (SID_DESC =
  (global_dbname = ORCL.hostname)
  (ORACLE_HOME = /u01/app/oracle/product/11.2.0.2)
  (sid_name = hostname)
  ADR_BASE_LISTENER = /u01/app/oracle
  INBOUND_CONNECT_TIMEOUT_ = 120
  DYNAMIC_REGISTRATION_LISTENER = off
  Conclusion:
  The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  Note: Mandatory if we expose our Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - Internal network already needs to be compromised in order for the attack to occur.
  http://shanojkumar.wordpress.com/2012/05/23/oracle-security-alert-for-cve-2012-1675-tns-listener-poison-attack/

• TNS Listener Poison Attack - CVE-2012-1675

  I have few databases from Oracle 9i to Oracle 11g. Many are standalone instances,and few RAC instances.
  My questions are
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  2) If we dont configure "remote_listener", is it applicable for us?
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  Regards,
  Sarayu

  Sarayu;
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  A: No you need to add another setting : ( (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) )
  Example :
  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = your hostname)(PORT = 1521))
        (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  stop and start the listener
  Read note 1453883.1
  Oracle 9 - No idea
  2) If we dont configure "remote_listener", is it applicable for us?
  A: Yes you should still fix your listener.ora
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  A: Yes.
  Best Regards
  mseberg
  Aman - Great memory!

• Oracle TNS Poison vulnerability - CVE-2012-1675

  Oracle announced a zero day vulnerability today - http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Looks like a man in the middle attack.
  For CF8 or CF9, can the native oracle driver be configured to use SSL/TLS?

  Rather than attempting to patch something without official patches and potentially breaking your license to use it, I suggest disabling listener dynamic registration and configuring a static local_listener parameter within your XE database.  The TNS poison vulnerability relies on dynamic listener registration, and by disabling it we should no longer have risk from this vulnerability.

• Listener Poison Attack (CVE-2012-1675).

  I want to fix Listener Poison Attack for non RAC system, but I can't open the url https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Can someone get the note for me ? Thanks!

  Hi there,
  You posted this in the Application Express forum. At first glance, it looks like this issue is with the database listener - nothing directly to do with Application Express, really.
  Joel

• Oracle Security Alert #48

  Does Oracle Security Alert #48 (bug 2642117) - Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server effect Oracle 8i v 8.1.6.0 database?
  I know the Oracle Alert states it effects Oracle 8i v 8.1.7, but I'm not sure if that would mean it effects older releases like v 8.1.6.0.
  Thanks

  Some clips:
  "Products Affected
  Oracle9i Database Release 2v, Version 9.2.x
  Oracle9i Database Release 1v, Version 9.0.x
  Oracle8iDatabase,Version 8.1.x
  Oracle8 Database, Version 8.0.x"
  "Currently there are no plans to release a patch for 8.0.5.x, 8.1.5.x, 8.1.6.x."

• April 2012 CVE-2012-1675 sercuity alert - issues

  Thanks for taking my questions.
  We are windows 11g (non rac) The April Security Patche CVE-2012-1675 ID: 1453883.1
  This fix isn't working for me. STEP 4) Replace the tcp address in the database ….. errors.
  I did some more digging and found they updated the doc ID: 1453883.1 to include TCP but the first step is “OBTAIN AND APPLY THE PATCH FOR BUG:12880299. I can’t find this patch or bug.
  Has anyone tackeled this fix and got it to work?
  Thanks,
  Kathie

  Thanks everyone for the helpful information!! I sometimes have a real difficult time searching for stuff in Oracle Support so the forum is my reality check:)
  Anyway, I did get the ICP method to work. I think the entries in the network.ora file had to be in a specific order. After I changed the IPC entry before the TCP entry the change applied as excpected.
  My understanding is that either the IPC or the TCP change will protect you. If anyone knows something other than that please let me know.
  Thanks again for the help!
  Kathie

• Oracle Security Alerts via e-mail

  Hi -
  I'm trying to figure out how to get Oracle to send security alerts to me via e-mail, instead of my having to go to the web site (http://otn.oracle.com/deploy/security/alerts.htm).
  Thank you!!

  Hi Anand,
  Go thru this link for establising a HTTP Connection to the external mail server
  http://help.sap.com/saphelp_47x200/helpdata/en/ae/71583ca544eb51e10000000a114084/content.htm
  >><i>where do I do I maintain the e-mail address to which theses alerts to be forwarded</i>
  <b>The steps are as follows</b>:
  1)Select the Alert Category and Check the “Additional configurations” and execute it.
  2)In the pop-up window,
  Under <b>Fixed recipients</b>, give the name of a <b>Fixed Recipient User</b>(the user shd present in su01).
  3)And press the Create Alert Button
  The e-mail address of the fixed recipients is taken from SU01 (User Management).Plz chk the email id is present there for the recieptents.
  Hope it helps.
  Regards
  Arpit Seth

• MS Security Essentials for Server 2012 R2

  I've had MS Security Essentials installed on my Server 2008 R2 Foundation, but now that I've upgraded to 2012 R2 Foundation, MS Security Essentials won't install. It gives an error message saying that it won't run on this computer.
  I've searched for a replacement, but my searches yield ONLY results for Server 2012 R2 Essentials, and NOT Security Essentials.  Is there a replacement for MS Security Essentials, and if so, how/where can I find it???
  Capt. Dinosaur

  Hi,
  I agree with Ed that Microsoft Security Essentials is designed for client machines.
  I have seen forum threads that indicating it is running well on Windows 2008 machines, still, it is not supported.
  Here are some references below for you:
  Microsoft Security Essentials, but for Windows Server 2008?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/13a80a5d-825d-48b3-9aa8-8a03ae6de249/microsoft-security-essentials-but-for-windows-server-2008
  Windows Security Essentials on Windows 2008 R2
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/c9290ed2-0423-4822-9db9-490c18c3178e/windows-security-essentials-on-windows-2008-r2?forum=winserversecurity
  Best Regards,
  Amy

• Oracle FAILSAFE and CVE-2012-1675

  Folks,
  I'm running Oracle 10.2.0.3 {PATCH 29} on Windows32 with Oracle Failsafe 3.4.4.1. I've tried implementing the IPC fix and the dynamic_registration=OFF fix as prescribed and get the listener.log error listed below with either attempt. It doesn't look like either fix works for FAILSAFE.
  +07-MAY-2012 15:00:07 * service_register_NSGR * 1194+
  TNS-01194: The listener command did not arrive in a secure transport
  How do I implement this fix on my environment?
  Any and all help is GREATLY APPRECIATED!

  Hello;
  Did you do this ? :
  Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  "With COST enabled for TCP attempts to register with the listener from anything other than the local system using TCP is rejected and an event is logged"
  TNS-01194
  Might look at these as an option :
  How to Add New Listeners in a Fail Safe Environment [ID 217096.1]
  How to protect a listener with a password in Oracle Fail Safe? [ID 333239.1]
  Best Regards
  mseberg
  Edited by: mseberg on May 7, 2012 12:36 PM
  Edited by: mseberg on May 7, 2012 12:45 PM

• How to address CVE-2012-1675 with Oracle Express 11.2.0.2 release june 2014? No access to patches via the Oracle Critical Patch Update page..

  Where do we find the patch for Express user downloads? The Oracle Critical Patch Update site requires a valid support license.

  XE is not patch-able - there is no support available.