CSV-2012-1675 IPC METHOD CORRECT

Similar Messages

• April 2012 CVE-2012-1675 sercuity alert - issues

  Thanks for taking my questions.
  We are windows 11g (non rac) The April Security Patche CVE-2012-1675 ID: 1453883.1
  This fix isn't working for me. STEP 4) Replace the tcp address in the database ….. errors.
  I did some more digging and found they updated the doc ID: 1453883.1 to include TCP but the first step is “OBTAIN AND APPLY THE PATCH FOR BUG:12880299. I can’t find this patch or bug.
  Has anyone tackeled this fix and got it to work?
  Thanks,
  Kathie

  Thanks everyone for the helpful information!! I sometimes have a real difficult time searching for stuff in Oracle Support so the forum is my reality check:)
  Anyway, I did get the ICP method to work. I think the entries in the network.ora file had to be in a specific order. After I changed the IPC entry before the TCP entry the change applied as excpected.
  My understanding is that either the IPC or the TCP change will protect you. If anyone knows something other than that please let me know.
  Thanks again for the help!
  Kathie

• TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

  Hi,
  I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
  Can you guys please advise.
  Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
  Oracle Security Alert for CVE-2012-1675
  Thanks

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• Oracle Security Alert for CVE-2012-1675

  Hi,
  I want to know more about recent release "Oracle Security Alert" : http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Document available in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Fix is about Class of Secure Transport (COST). I need to know about elaborate steps to find out whether this change is need to apply to my databases or not.
  About my DBs : 10.2.4 , AIX, Nondefault Listener, Shared env , non RAC, local_listener is null & running in pfile.
  Thx,
  Gowin.

  Hello;
  Apply it. Very clean. Simple. No outage on Non-RAC. Biggest Impact is listener stop and start. Took about 3 minutes per server.
  Tested today and had zero issues. ( Assumed you understood a CONNECT was part of the test ). Zero issues.
  Had a thread on this here a few days ago :
  Oracle TNS Poison vulnerability
  See Oracle Support Note 1453883.1 for additional information.
  Best Regards
  mseberg
  With all due respect this isn't very hard. Make a decision.
  Edited by: mseberg on May 2, 2012 7:13 AM

• Oracle TNS Poison vulnerability - CVE-2012-1675

  Oracle announced a zero day vulnerability today - http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Looks like a man in the middle attack.
  For CF8 or CF9, can the native oracle driver be configured to use SSL/TLS?

  Rather than attempting to patch something without official patches and potentially breaking your license to use it, I suggest disabling listener dynamic registration and configuring a static local_listener parameter within your XE database.  The TNS poison vulnerability relies on dynamic listener registration, and by disabling it we should no longer have risk from this vulnerability.

• Windigo Botnet - Is this detection method correct?

  After reading today about the Windigo Botnet (http://www.eset.com/int/about/press/articles/article/operation-windigo-largest-s erver-botnet-uncovered/) I used the suggested method for checking for infection, which was detailed in the article.
  The code to be run is
  $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
  After running the command in Terminal, the response was "System infected".
  Can someone confirm if the code given is correct for checking my OS X Mavericks.
  I would hate to re-install my OS if it was just echoing back "System infected" rather than actually detecting the malware.
  Can someone from Apple let us know if this is indeed the correct method of detection?

  GITHUB (https://github.com/eset/malware-ioc/tree/master/windigo)
  One can use the following command to determine if the server he is on is compromised:
  ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
  This code is missing the "$" and has the output of   "System clean"

• Oracle FAILSAFE and CVE-2012-1675

  Folks,
  I'm running Oracle 10.2.0.3 {PATCH 29} on Windows32 with Oracle Failsafe 3.4.4.1. I've tried implementing the IPC fix and the dynamic_registration=OFF fix as prescribed and get the listener.log error listed below with either attempt. It doesn't look like either fix works for FAILSAFE.
  +07-MAY-2012 15:00:07 * service_register_NSGR * 1194+
  TNS-01194: The listener command did not arrive in a secure transport
  How do I implement this fix on my environment?
  Any and all help is GREATLY APPRECIATED!

  Hello;
  Did you do this ? :
  Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  "With COST enabled for TCP attempts to register with the listener from anything other than the local system using TCP is rejected and an event is logged"
  TNS-01194
  Might look at these as an option :
  How to Add New Listeners in a Fail Safe Environment [ID 217096.1]
  How to protect a listener with a password in Oracle Fail Safe? [ID 333239.1]
  Best Regards
  mseberg
  Edited by: mseberg on May 7, 2012 12:36 PM
  Edited by: mseberg on May 7, 2012 12:45 PM

• EXPORT method correction

  Dear Respected Gurus,
  Can any one put the highlights on export, if i am wrong any where. also tell me what steps/prcoedure follow before/after running export method
  exp system/system full=yes consistent=yes direct=yes
  file=d:\bk1,d:\bk2,d:\bk3 log=d:\fullexplog filesize=1073741824
  statistics=none
  regards,
  shahzad

  1. To disconnect user
  select sid, serial#, machine, username from v$session;
  From this list you can tell users to disconnect
  OR
  Use alter system kill session command. Run this SQL .. you'll get the command list to kill all active/inactive users:
  SELECT 'ALTER SYSTEM KILL SESSION '''||sid||','||serial#||''';'
  FROM v$session
  WHERE username IS NOT NULL
  OR username <>'SYS'
  OR (Most common method)
  Bounce the database and restart using
  startup restrict;
  2. Bring DB to restricted mode
  ALTER SYSTEM ENABLE RESTRICTED SESSION;
  3. Use the export command to export the DB
  4. To Disable restrict session
  ALTER SYSTEM DISABLE RESTRICTED SESSION;
  Suggestion/Note:
  ================
  Please donot use export as a backup policy. At most of the places exp is use as a backup policy, which is not correct.
  Use cold-physical backup for your senerio, Oracle also supports online physical backup. With the help of physical backup and archive-log you can do point-in-time recovery, which would not be possible with a export backup.
  Sudhanshu Bhandari
  perotsystems TSI

• Migrating Clients from SMS 2003 to SCCM 2012 R2. Best method?

  I have set up a new SCCM 2012 R2 server to replace our existing SMS 2003.
  Our client systems (all Windows 7 SP1 x64 and x86) still have the SMS 2003 client installed but I would like to move them over to the SCCM 2012 R2 server now. I know there are several methods for installing the SCCM client (manual, push, group policy) but
  none of these provide a way to uninstall the old client.
  Is there a best practice or commonly used process for doing this? Should I be getting rid of the SMS client first by logon script or some other method and the pushing the SCCM client or some other way? Thank you for any advice.

  More info:
  Can I manage SMS 2003 clients with System Center 2012 Configuration Manageror migrate SMS 2003 sites and clients to System Center 2012 Configuration Manager?
  http://technet.microsoft.com/library/gg682088.aspx#FAQ_Migration
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• LV 2012 Calling FPGA method node with reference 0x000000 does not return error

  Why is it the case that when an FPGA reference is initialised with a constant (resulting in it having the value 0x000000), it doesn't return an error when passed to a method node?
  I'm having some weird behaviour in my code where 99% of the time when run, it doesn't function correctly (the reference is deemed valid despite being 0x000000) and then when initialised to an actual running FPGA, the FPGA doesn't seem to respond to commands.
  Edit: Further to the message, linking the reference to a NaN/Reference comparison returns true. So it's detected as being not a reference, but yet the method node doesn't see this as an error.

  Hi Alex,
  Can you please post a screenshot of the portion of your Host vi where you are creating the FPGA reference?
  Thanks,
  Allie

• How to validate CVE-2012-1675 and COST restriction

  Hello,
  I am curious to know about the test case to validate the COST and CVE 1675 implementation. I have 3 node cluster node running on 11.2.0.3.0 with SCAN. i tried to search in metalink but couldn't find any document which states about the test/validation case. Please help.
  Thanks,
  Pankaj

  I am not sure if you looking for steps to reproduce the vulnerability or just see what is the impact if its not patched.
  Here is a demo https://www.youtube.com/watch?v=hE3-AkxSX3w of what happens if patch is not applied.
  Hope this helps.
  Regards,
  NC
  Edited by: NC on Mar 28, 2013 2:40 AM

• TNS Listener Poison Attack - CVE-2012-1675

  I have few databases from Oracle 9i to Oracle 11g. Many are standalone instances,and few RAC instances.
  My questions are
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  2) If we dont configure "remote_listener", is it applicable for us?
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  Regards,
  Sarayu

  Sarayu;
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  A: No you need to add another setting : ( (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) )
  Example :
  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = your hostname)(PORT = 1521))
        (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  stop and start the listener
  Read note 1453883.1
  Oracle 9 - No idea
  2) If we dont configure "remote_listener", is it applicable for us?
  A: Yes you should still fix your listener.ora
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  A: Yes.
  Best Regards
  mseberg
  Aman - Great memory!

• Constructor compiles, arraylists, not calling method correctly?

  I am starting back on the program from yesterday! Working with arraylists
  I have the constructor compiling, both class files compile.,
  with the code i have in the driver file, the driver file is not compiling
  code is:
  for hotel class: (compiles)
  import java.util.ArrayList;
  public class Hotel//Sets the class
        ArrayList<Room> theRooms;
        private String name;
        private String location;
        private int occupiedCnt=0;
        private double occupancyPercentage = 0;
        private double DailySales = 0;
        private static final int NOT_FOUND = -1;
  contructor method
  public Hotel(String n, String a)
          name = n;
          location = a;
  /** accessor methods with calculations
  //returns a boolean that is true if all the rooms in the hotel are occupied
  public boolean isFull()
     return true;
  //returns a boolean that is true if all the rooms in the hotel are unoccupied.
  public boolean isEmpty()
     return true;
  The Hotel will have an addRoom method that will create each room with the required
  information: room number, bed type, smoking/non-smoking, and the room rate.  Create
  at least 5 rooms with different characteristics. Each room will also have a boolean
  field called occupied attribute that will be set to false when the room is created.**/
  public void addRoom(String bd, int rn, char s, double r)
     Room newRoom = new Room(bd,rn,s,r );
     theRooms.add(newRoom);
  }for the rooms class: (compiles)
  public Room(String bd, int rn, char s,
                    double r)
          roomNum = rn;
        bedType = bd;
        smoking = s;
        rate = r;     
     }For the driver file (does not compile and i am sure that I am calling the method incorrectly) first time working with arraylists.......
  public class TestHotel
  public static void main(String[] args)
           Hotel pensacola = new Hotel("Browns Town", "3308 Damon Dr Milton Fl32583");
           //pensacola.addReservation();
           pensacola.theRooms.add(newRoom("king",201,'s',59.99));        
  }        error that i am getting:
  ----jGRASP exec: javac -g C:\Users\Jessie\Documents\java\class project files\project 7\TestHotel.java
  TestHotel.java:25: cannot find symbol
  symbol : method newRoom(java.lang.String,int,char,double)
  location: class TestHotel
  pensacola.theRooms.add(newRoom("king",201,'s',59.99));
  ^
  1 error
  ----jGRASP wedge2: exit code for prcess is 1.
  ----jGRASP: operation complete.
  again i am sure it is something simple like how i am calling the method. any pointers appreciated.

  NEVER MIND...........maybe should be drinking coffee instead of drinking Coke!

• Whenever I try to export my form data into a csv it is not formatted correctly

  Whenever I try to export my data into a CSV and open it in notepad it does not place each row on a seperate line. Is there any way to insert a return at the end of the form or data so that each row is on a seperate line?

  FormsCentral produces CVS files that use CR (Carriage Return) as the row delimiter.  NotePad requires CRLF (Carriage Return + Line Feed).  If you use a different text editor (WordPad, NotePad++) you will find each record on its own line (assuming you do not have word wrap enabled).

• Compiler not inferring legal methods correctly?

  The following sample code:public class Tester {
    public static <E extends Integer> void doit ( final E[] a ) {
      System.out.println ( a[0] / 4 ) ;
    public static void main ( final String[] args ) {
      Tester.doit ( new Integer[] { 2 , 3 , 4 } ) ;           
  }results in the error message:
  Tester.java:3: cannot find symbol
  symbol : method intValue()
  location: bound of type variable E
  System.out.println ( a[0] / 4 ) ;
  ^
  Fatal Error: Unable to find method intValue
  I think the compiler is wrong here but then I may be wrong :-) The type parameter E has least upper bound Integer and so the compiler knows that a[0] is required to have an intValue method (from Number). The issue is nothing to do with the method being static as you get the same error message with a non-static method.
  I suspect that the compiler is treating E as having least upper bound of Object since it can find the toString method -- you can show this by removing the "/ 4" from the code.

  Note that this is an autoboxing bug. It's only tangentially related to generic syntax.It is an autoboxing issue but it is also a type lookup issue in the compiler relating to bounds on a type parameter. I am not sure you would get the problem except with generic methods but I haven't tried so I may be talking b$$$$$$$.
  Are you saying you want to extend Integer to create classes that are doing other things than just being integers?Actually I would like to be able to extend Integer (and Long) to create subrange types that are primitive integer values boxed with fixed range. This is trivial in C++ (see http://www.russel.org.uk/subrange.html) and I was investigating doing the same thing in Java.
  Wouldn't it be better to create an interface like RadixSortable which would supply an int representation of the Object?Unfortuately it is Integers that need to be sorted and they could not be made RadixSortable :-(
  I have a class RadixSort with a method sort. I am fiddling with various implementations to show design decisions so there isn't just one solution that I am interested in -- the library is for teaching and so having examples of different design issues is important unlike Collections and JGL where you just need the right functionality with the fastest possible implementation.
  The reason they are final is that they are the primitve wrapper classes. To behave like primitives, they must be immutable. If they were extensible, mutable Integer types could be created.Is this certain? If the state is private the subclasses could not change the value and immutability is retained. What I wanted was the ability to create subrange integral types which could use expression syntax.
  (Given the way Java is organized real subrange types are seemingly impossible but . . . )
  I'm not sure how improving Number (I agree it could be improved upon) would solve your issues. I am not sure there is a problem with Number per se since the methods that are common to Short, Integer, Long, Float and Double are few and far between. What I think is missing is the notions of integral (Short, Integer, Long) to allow algorithms that do not actually depend on the bounds of values representable.
  However this is all diverging far from the "generics" issues that this forum is about :-)