CVE-2012-4681

Similar Messages

• CVE-2012-X

  SecLists claims to have "discovered yet another security vulnerability" http://seclists.org/bugtraq/2012/Sep/109. It is unclear to me if they are talking about a vulnerability in addition to CVE-2012-4681 and whether the findings will be bundled into CVE-2012-4681. I intend to inquire internally whether exploitable code exists for any vulnerabilities subsequent to -4681. There does not seem to be a new CVE number associated with seclist's finding.
  I'm also hoping to open some forum discussion to help us understand better the scope of the threat. The CVE-2012-4681 references the Oracle press release which indicates "These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications" http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html. Why would only browser clients be vulnerable? Wouldn't standalone clients that might attempt to retrieve a URL that may contain malicious code also be at risk?

  Pat,
  I just downloaded and tested both the SPARC and x86 version from that site.
  Sad to say only version 223 is available at that location.
  Even if you don't have a Solaris system to check, extract the files and you will see the folder name is as follows.
  flash_player_solaris_11_2_202_223_x86
  flash_player_solaris_11_2_202_223_sparc
  I did test on a Solaris system and it confirmed that these are indeed 223.
  Thus, I asked the question, isn't Solaris affected as well?
  How may I push this up for action? The security community is rather adament that we patch for this CVE.
  chesneyb

• TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

  Hi,
  I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
  Can you guys please advise.
  Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
  Oracle Security Alert for CVE-2012-1675
  Thanks

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• Oracle Security Alert for CVE-2012-1675

  Hi,
  I want to know more about recent release "Oracle Security Alert" : http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Document available in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Fix is about Class of Secure Transport (COST). I need to know about elaborate steps to find out whether this change is need to apply to my databases or not.
  About my DBs : 10.2.4 , AIX, Nondefault Listener, Shared env , non RAC, local_listener is null & running in pfile.
  Thx,
  Gowin.

  Hello;
  Apply it. Very clean. Simple. No outage on Non-RAC. Biggest Impact is listener stop and start. Took about 3 minutes per server.
  Tested today and had zero issues. ( Assumed you understood a CONNECT was part of the test ). Zero issues.
  Had a thread on this here a few days ago :
  Oracle TNS Poison vulnerability
  See Oracle Support Note 1453883.1 for additional information.
  Best Regards
  mseberg
  With all due respect this isn't very hard. Make a decision.
  Edited by: mseberg on May 2, 2012 7:13 AM

• April 2012 CVE-2012-1675 sercuity alert - issues

  Thanks for taking my questions.
  We are windows 11g (non rac) The April Security Patche CVE-2012-1675 ID: 1453883.1
  This fix isn't working for me. STEP 4) Replace the tcp address in the database ….. errors.
  I did some more digging and found they updated the doc ID: 1453883.1 to include TCP but the first step is “OBTAIN AND APPLY THE PATCH FOR BUG:12880299. I can’t find this patch or bug.
  Has anyone tackeled this fix and got it to work?
  Thanks,
  Kathie

  Thanks everyone for the helpful information!! I sometimes have a real difficult time searching for stuff in Oracle Support so the forum is my reality check:)
  Anyway, I did get the ICP method to work. I think the entries in the network.ora file had to be in a specific order. After I changed the IPC entry before the TCP entry the change applied as excpected.
  My understanding is that either the IPC or the TCP change will protect you. If anyone knows something other than that please let me know.
  Thanks again for the help!
  Kathie

• Oracle TNS Poison vulnerability - CVE-2012-1675

  Oracle announced a zero day vulnerability today - http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Looks like a man in the middle attack.
  For CF8 or CF9, can the native oracle driver be configured to use SSL/TLS?

  Rather than attempting to patch something without official patches and potentially breaking your license to use it, I suggest disabling listener dynamic registration and configuring a static local_listener parameter within your XE database.  The TNS poison vulnerability relies on dynamic listener registration, and by disabling it we should no longer have risk from this vulnerability.

• CVE-2012-0779

  Regarding CVE-2012-0779,
  I see that there are updates for just about every operating system other than Solaris to cover this vulnerability.
  1.  Are Solaris 10 SPARC and x86 affected as well?
  2.  If so, will there be a patch released and when?
  Thank-you!
  chesneyb
  Sorry if I have posted this on one too many forums.

  Pat,
  I just downloaded and tested both the SPARC and x86 version from that site.
  Sad to say only version 223 is available at that location.
  Even if you don't have a Solaris system to check, extract the files and you will see the folder name is as follows.
  flash_player_solaris_11_2_202_223_x86
  flash_player_solaris_11_2_202_223_sparc
  I did test on a Solaris system and it confirmed that these are indeed 223.
  Thus, I asked the question, isn't Solaris affected as well?
  How may I push this up for action? The security community is rather adament that we patch for this CVE.
  chesneyb

• How to validate CVE-2012-1675 and COST restriction

  Hello,
  I am curious to know about the test case to validate the COST and CVE 1675 implementation. I have 3 node cluster node running on 11.2.0.3.0 with SCAN. i tried to search in metalink but couldn't find any document which states about the test/validation case. Please help.
  Thanks,
  Pankaj

  I am not sure if you looking for steps to reproduce the vulnerability or just see what is the impact if its not patched.
  Here is a demo https://www.youtube.com/watch?v=hE3-AkxSX3w of what happens if patch is not applied.
  Hope this helps.
  Regards,
  NC
  Edited by: NC on Mar 28, 2013 2:40 AM

• Oracle FAILSAFE and CVE-2012-1675

  Folks,
  I'm running Oracle 10.2.0.3 {PATCH 29} on Windows32 with Oracle Failsafe 3.4.4.1. I've tried implementing the IPC fix and the dynamic_registration=OFF fix as prescribed and get the listener.log error listed below with either attempt. It doesn't look like either fix works for FAILSAFE.
  +07-MAY-2012 15:00:07 * service_register_NSGR * 1194+
  TNS-01194: The listener command did not arrive in a secure transport
  How do I implement this fix on my environment?
  Any and all help is GREATLY APPRECIATED!

  Hello;
  Did you do this ? :
  Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  "With COST enabled for TCP attempts to register with the listener from anything other than the local system using TCP is rejected and an event is logged"
  TNS-01194
  Might look at these as an option :
  How to Add New Listeners in a Fail Safe Environment [ID 217096.1]
  How to protect a listener with a password in Oracle Fail Safe? [ID 333239.1]
  Best Regards
  mseberg
  Edited by: mseberg on May 7, 2012 12:36 PM
  Edited by: mseberg on May 7, 2012 12:45 PM

• IOracle Security Alert for CVE-2012-1675 Released April 30th, 2012.

  Kinldy let me know how ill I down load the patch for this . Currently we have Oracle DB on versions 10.2.0.4, 10.1.0 , 11.2.0.3 in RAC. Do we need to apply the patch for all these databases. I have no applied any patches after Oracle is installed , Can I update this patch directly or i need to apply the pervious patches before this
  I am a beginner and not a DBA , but i need to support the db also as part of application suppot. Kiindly help

  Patches are only available at Oracle's support site - https://support.oracle.com - access to which is granted only if you have a support contract with Oracle.
  After you download the patch(es), follow the steps in the README
  HTH
  Srini

• TNS Listener Poison Attack - CVE-2012-1675

  I have few databases from Oracle 9i to Oracle 11g. Many are standalone instances,and few RAC instances.
  My questions are
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  2) If we dont configure "remote_listener", is it applicable for us?
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  Regards,
  Sarayu

  Sarayu;
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  A: No you need to add another setting : ( (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) )
  Example :
  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = your hostname)(PORT = 1521))
        (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  stop and start the listener
  Read note 1453883.1
  Oracle 9 - No idea
  2) If we dont configure "remote_listener", is it applicable for us?
  A: Yes you should still fix your listener.ora
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  A: Yes.
  Best Regards
  mseberg
  Aman - Great memory!

• CVE-2012-5272, APSB12-22

  Hi,
  I am sorry if I started this topic in a wrong forum. The problem is that at the moment I am doing a little research work about this vulnerability. On the web I found some general information about it, but what I need is details (for example, how the arbitrary code could have been exploited). The another major question is solution to this vulnerability. The only information I found was "The security update is available, so you need to update". What I need is more specific information like what changed in that security update, some lines of code maybe.
  I am looking forward to hearing from you. I hope you will help me if that is possible.
  Best regards,
  Andrei.

  Adobe does not release details of security updates to members of the general public.
  Feel free to reach out to the Adobe Product Security Incident Response Team if you are a researcher or other industry professional via email, as PSIRT at adobe dot com.
  If you work for an organization that already has a Non-disclosure agreement in place with Adobe, please surface the issue with your Adobe contact.  They can contact me directly and I'll put them in touch with the right folks.
  Thanks,
  Jeromie Clark
  Quality Engineering Manager - Flash Runtime Security
  Adobe Systems, Inc

• How to address CVE-2012-1675 with Oracle Express 11.2.0.2 release june 2014? No access to patches via the Oracle Critical Patch Update page..

  Where do we find the patch for Express user downloads? The Oracle Critical Patch Update site requires a valid support license.

  XE is not patch-able - there is no support available.

• Listener Poison Attack (CVE-2012-1675).

  I want to fix Listener Poison Attack for non RAC system, but I can't open the url https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Can someone get the note for me ? Thanks!

  Hi there,
  You posted this in the Application Express forum. At first glance, it looks like this issue is with the database listener - nothing directly to do with Application Express, really.
  Joel

• Oracle Critical Patch Update - July 2012

  I need to apply this Critical Patch in my databases but I have a doubt about if the component that I find out in the documentation is the component where the fix has to be applied or doesn't matter and I have to apply this fix on all my installations.
  CVE#           Component          
  CVE-2012-1740 - Oracle Application Express Listener
  CVE-2011-3192 - Apache
  CVE-2012-1737 - Enterprise Manager for Oracle Database
  CVE-2012-1745 - The vulnerability affects Microsoft Windows platforms only.
  CVE-2012-1746 - The vulnerability affects Microsoft Windows platforms only.
  CVE-2012-1747 - The vulnerability affects Microsoft Windows platforms only.
  CVE-2012-3134 - The vulnerability affects Microsoft Windows platforms only.
  CVE-2011-4885 - PHP

  - OS Platforms Solaris 10, Linux Suse and Linux Red Hat 5.6
  - Databases' version that we have are 10.2.0.2, 10.2.0.3, 10.2.0.4, 11.1.0.7, 11.2.0.1 and 11.2.0.2
  - Don't use EBS or other component
  - When I checked the documentation I had doubt with the Oracle Database Risk Matrix about the component and if I have to apply those patches.