How to validate CVE-2012-1675 and COST restriction

Similar Messages

• How to address CVE-2012-1675 with Oracle Express 11.2.0.2 release june 2014? No access to patches via the Oracle Critical Patch Update page..

  Where do we find the patch for Express user downloads? The Oracle Critical Patch Update site requires a valid support license.

  XE is not patch-able - there is no support available.

• TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

  Hi,
  I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
  Can you guys please advise.
  Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
  Oracle Security Alert for CVE-2012-1675
  Thanks

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• Oracle Security Alert for CVE-2012-1675

  Hi,
  I want to know more about recent release "Oracle Security Alert" : http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Document available in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Fix is about Class of Secure Transport (COST). I need to know about elaborate steps to find out whether this change is need to apply to my databases or not.
  About my DBs : 10.2.4 , AIX, Nondefault Listener, Shared env , non RAC, local_listener is null & running in pfile.
  Thx,
  Gowin.

  Hello;
  Apply it. Very clean. Simple. No outage on Non-RAC. Biggest Impact is listener stop and start. Took about 3 minutes per server.
  Tested today and had zero issues. ( Assumed you understood a CONNECT was part of the test ). Zero issues.
  Had a thread on this here a few days ago :
  Oracle TNS Poison vulnerability
  See Oracle Support Note 1453883.1 for additional information.
  Best Regards
  mseberg
  With all due respect this isn't very hard. Make a decision.
  Edited by: mseberg on May 2, 2012 7:13 AM

• April 2012 CVE-2012-1675 sercuity alert - issues

  Thanks for taking my questions.
  We are windows 11g (non rac) The April Security Patche CVE-2012-1675 ID: 1453883.1
  This fix isn't working for me. STEP 4) Replace the tcp address in the database ….. errors.
  I did some more digging and found they updated the doc ID: 1453883.1 to include TCP but the first step is “OBTAIN AND APPLY THE PATCH FOR BUG:12880299. I can’t find this patch or bug.
  Has anyone tackeled this fix and got it to work?
  Thanks,
  Kathie

  Thanks everyone for the helpful information!! I sometimes have a real difficult time searching for stuff in Oracle Support so the forum is my reality check:)
  Anyway, I did get the ICP method to work. I think the entries in the network.ora file had to be in a specific order. After I changed the IPC entry before the TCP entry the change applied as excpected.
  My understanding is that either the IPC or the TCP change will protect you. If anyone knows something other than that please let me know.
  Thanks again for the help!
  Kathie

• Oracle TNS Poison vulnerability - CVE-2012-1675

  Oracle announced a zero day vulnerability today - http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Looks like a man in the middle attack.
  For CF8 or CF9, can the native oracle driver be configured to use SSL/TLS?

  Rather than attempting to patch something without official patches and potentially breaking your license to use it, I suggest disabling listener dynamic registration and configuring a static local_listener parameter within your XE database.  The TNS poison vulnerability relies on dynamic listener registration, and by disabling it we should no longer have risk from this vulnerability.

• How can validate the ASM size and free space correctly?

  Dears ,,
  I faced problem in ASM size as it appeared in alert file as below
  ORA-19504: failed to create file "+DG_DATA"
  ORA-17502: ksfdcre:4 Failed to create file +DG_DATA
  ORA-15041: diskgroup space exhausted
  So we resize ASM space and large it. But we faced the same problem also although there is free space in ASM.
  It seems that the shown free space is not real.
  How can validate the ASM size and free space correctly?
  Thanks & Regards,,

  *Oracle DBA* wrote:
  Dears ,,
  I faced problem in ASM size as it appeared in alert file as below
  ORA-19504: failed to create file "+DG_DATA"
  ORA-17502: ksfdcre:4 Failed to create file +DG_DATA
  ORA-15041: diskgroup space exhausted
  So we resize ASM space and large it. But we faced the same problem also although there is free space in ASM.
  It seems that the shown free space is not real.
  How can validate the ASM size and free space correctly?
  Thanks & Regards,,
  I was having this problem. Im my case i couldn add datafiles to a tablespace despite the fact that i was having a lot of space in the asm. Try rebalancing. It might help. In my case rebalancing also didn work because it seems that there need to be a threshold space in all the disks for the rebalancing to happen which was not in my case, so i had to shrink some unused space in the tablespace and then after gaining the required space I rebalanced the disk and then the disks got rebalanced, also i was able to use the free space that was showing .

• How to validate XML against XSD and parse/save in one step using SAXParser?

  How to validate XML against XSD and parse/save in one step using SAXParser?
  I currently have an XML file and XSD. The XML file specifies the location of the XSD. In Java code I create a SAXParser with parameters indicating that it needs to validate the XML. However, SAXParser.parse does not validate the XML, but it does call my handler functions which save the elements/attributes in memory as it is read. On the other hand, XMLReader.parse does validate the XML against the XSD, but does not save the document in memory.
  My code can call XMLReader.parse to validate the XML followed by SAXParser.parse to save the XML document in memory. But this sound inefficient. Besides, while a valid document is being parsed by XMLReader, it can be changed to be invalid and saved, and XMLReader.parse would be looking at the original file and would think that the file is OK, and then SAXParser.parse would parse the document without errors.
  <Book xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="book.xsd" name="MyBook">
    <Chapter name="First Chapter"/>
    <Chapter name="Second Chapter">
      <Section number="1"/>
      <Section number="2"/>
    </Chapter>
  </Book>
  <?xml version="1.0" encoding="ISO-8859-1" ?>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:element name="Book">
  <xs:complexType>
    <xs:sequence>
     <xs:element name="Chapter" minOccurs="0" maxOccurs="unbounded">
      <xs:complexType>
       <xs:sequence>
        <xs:element name="Section" minOccurs="0" maxOccurs="unbounded">
         <xs:complexType>
          <xs:attribute name="xnumber"/>
        </xs:complexType>
        </xs:element>
       </xs:sequence>
       <xs:attribute name="name"/>
      </xs:complexType>
     </xs:element>
    </xs:sequence>
    <xs:attribute name="name"/>
  </xs:complexType>
  </xs:element>
  </xs:schema>
  public class SAXXMLParserTest
     public static void main(String[] args)
        try
           SAXParserFactory factory = SAXParserFactory.newInstance();
           factory.setNamespaceAware(true);
           factory.setValidating(true);
           SAXParser parser = factory.newSAXParser();
           parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaLanguage",
                              "http://www.w3.org/2001/XMLSchema");
           BookHandler handler = new BookHandler();
           XMLReader reader = parser.getXMLReader();
           reader.setErrorHandler(handler);
           parser.parse("xmltest.dat", handler); // does not throw validation error
           Book book = handler.getBook();
           System.out.println(book);
           reader.parse("xmltest.dat"); // throws validation error because of 'xnumber' in the XSD
  public class Book extends Element
     private String name;
     private List<Chapter> chapters = new ArrayList<Chapter>();
     public Book(String name)
        this.name = name;
     public void addChapter(Chapter chapter)
        chapters.add(chapter);
     public String toString()
        StringBuilder builder = new StringBuilder();
        builder.append("<Book name=\"").append(name).append("\">\n");
        for (Chapter chapter: chapters)
           builder.append(chapter.toString());
        builder.append("</Book>\n");
        return builder.toString();
     public static class BookHandler extends DefaultHandler
        private Stack<Element> root = null;
        private Book book = null;
        public void startDocument()
           root = new Stack<Element>();
        public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException
           if (qName.equals("Book"))
              String name = attributes.getValue("name");
              root.push(new Book(name));
           else if (qName.equals("Chapter"))
              String name = attributes.getValue("name");
              Chapter child = new Chapter(name);
              ((Book)root.peek()).addChapter(child);
              root.push(child);
           else if (qName.equals("Section"))
              Integer number = Integer.parseInt(attributes.getValue("number"));
              Section child = new Section(number);
              ((Chapter)root.peek()).addSection(child);
              root.push(child);
        public void endElement(String uri, String localName, String qName) throws SAXException
           Element finished = root.pop();
           if (root.size() == 0)
              book = (Book) finished;
        public Book getBook()
           return book;
        public void error(SAXParseException e)
           System.out.println(e.getMessage());
        public void fatalError(SAXParseException e)
           error(e);
        public void warning(SAXParseException e)
           error(e);
  public class Chapter extends Element
     public static class Section extends Element
        private Integer number;
        public Section(Integer number)
           this.number = number;
        public String toString()
           StringBuilder builder = new StringBuilder();
           builder.append("<Section number=\"").append(number).append("\"/>\n");
           return builder.toString();
     private String name;
     private List<Section> sections = null;
     public Chapter(String name)
        this.name = name;
     public void addSection(Section section)
        if (sections == null)
           sections = new ArrayList<Section>();
        sections.add(section);
     public String toString()
        StringBuilder builder = new StringBuilder();
        builder.append("<Chapter name=\"").append(name).append("\">\n");
        if (sections != null)
           for (Section section: sections)
              builder.append(section.toString());
        builder.append("</Chapter>\n");
        return builder.toString();
  }Edited by: sn72 on Oct 28, 2008 1:16 PM

  Have you looked at the XML DB FAQ thread (second post) in this forum? It has some examples for validating XML against schemas.

• How to get G/L account and cost centres from ECC to SRM...

  Dear All,
  How to get G/L account and cost centres from ECC to SRM...
  Please let me know the steps...
  Thanks
  Ravi

  Hi
  GL account - You can define in SPRO- Cross application settings--Account assignment ->Define GL account for product category and account assignment category.
  or you can use BADI BBP_DETERMINE_ACCT.
  In Organisation Strucute - You can Map the backend cost center via KNT  cost center attribute .
  Regards
  Muthu

• Oracle FAILSAFE and CVE-2012-1675

  Folks,
  I'm running Oracle 10.2.0.3 {PATCH 29} on Windows32 with Oracle Failsafe 3.4.4.1. I've tried implementing the IPC fix and the dynamic_registration=OFF fix as prescribed and get the listener.log error listed below with either attempt. It doesn't look like either fix works for FAILSAFE.
  +07-MAY-2012 15:00:07 * service_register_NSGR * 1194+
  TNS-01194: The listener command did not arrive in a secure transport
  How do I implement this fix on my environment?
  Any and all help is GREATLY APPRECIATED!

  Hello;
  Did you do this ? :
  Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  "With COST enabled for TCP attempts to register with the listener from anything other than the local system using TCP is rejected and an event is logged"
  TNS-01194
  Might look at these as an option :
  How to Add New Listeners in a Fail Safe Environment [ID 217096.1]
  How to protect a listener with a password in Oracle Fail Safe? [ID 333239.1]
  Best Regards
  mseberg
  Edited by: mseberg on May 7, 2012 12:36 PM
  Edited by: mseberg on May 7, 2012 12:45 PM

• Help: How to Validate XML using SAXParser and return the entire error list

  Hi,
  I have a problem, I'm trying to validate a xml document against the DTD. Here Im using SAXParser and having the ErrorHandler object passed when setting the error Handler, like parser.setErrorHandler(errorHandlerObj).
  I need an output like where the entire XML document is read and all the errors have to be reported with the line number.
  like example:
  <b>Line 6: <promp>
  [Error]:Element type "promp" must be declared.
  Line 8: </prompt>
  [Fatal Error]:The end-tag for element type "promp" must end with a '>' delimiter.
  who can i achieve this.</b>
  what happens with the present code is that it throws the first error it encountered and comes out.
  how can i solve this problem

  You can try to set the following feature to 'true' for your SAXParser:
  http://apache.org/xml/features/continue-after-fatal-error
  At least Xerces supports this feature.

• How to validate XML at runtime and show the exact cause of validation failure .

  Hi
  How can I validate my generated XML at runtine against its schema ? I have used
  the validate() method and it does validate correctly against the schema but the
  problem is it just returns a boolean . I need to know the exact cause of failure
  (like for example The element X was supposed to contain Y,Z etc ). I need to capture
  the exact exception (like a Sax Parse exception details).
  How do i do that using XMLBeans ??
  - Bana

  Hi Bana,
  You could use the XmlOptions.setErrorListener(Collection) method to get the detailed error message by invoking validate(option).
  Kind Regards,
  Jennifer

• How to validate concurrent program parameter and display a custom message?

  Hi Friends,
  I have a concurrent program which has two non-mandatory parameters.
  The requirement is that user should provide value for any one of the parameters.
  If user does not enter value for both the parameters, i need to display a custom error message.
  Parameter1 has an independent value set.
  Parameter2 has character value set with validation type as special.
  Process i tried so far:
  In the value set for the second parameter, under the Validate event, i have written the following code:
  FND PLSQL "declare
  l_paramb VARCHAR2(20) := :!VALUE;
  l_parama VARCHAR2(20) := :$FLEX$.MOT_CUSTMSGTST_A;
  BEGIN
  IF 1 = 1  THEN
  fnd_message.set_name('FND','FND_GENERIC_MESSAGE');
  fnd_message.set_token('MESSAGE','Please enter any of the ip1 or ip2');
  fnd_message.raise_error;
  END IF;
  END;" I am not using those variables that are defined for the time being.
  Now since the condition 1=1 is always satisfied, i should always receive the error message.
  I am not receving any error message and i can go ahead and submit the program..
  Please advise on where am i going wrong.
  Reports Version - 6i
  Oracle Apps Version - 11.5.10.2
  Regards,
  Sreekanth Munagala

  Hi srrekanth,,
  I've similar issue , I need to display custom message for concurrent program parameter.Need to validate the parameter & display custom message .
  Can you pl provide solution.

• How to validate prerequisite for ODP and Oracle Client connection

  Hi.
  I have a very simple application on .Net that connect to Oracle using ODP (was compiled with Oracle.DataAccess dll 10.2).
  I want to check "connection prerequisite" (application will be able to connect to DB) before installing this aplication on other computers?
  How can I check that ODP.NET version 10.2 or higher is installed on target host (registry check is not enopugh)?
  I know that I can check ODP entries in registry - but this will not check Oracle Client and compatibility between client and ODP.
  Also, if ODP was installed by ODAC XCopy installation - registry may be not updated by new ODP entry.
  And - if I am installing on the computer, DB was installed on, Oracle Client can be not installed separately.
  And one more issue: When I tried to run "test connection" method from installation, that use referenced dll on machine, that has only ODAC (with ODP) 11, - "Oracle.DataAccess.Client.OracleException The provider is not compatible with the version of Oracle client at Oracle.DataAccess.Client.OracleInit.Initialize()
  at Oracle.DataAccess.Client.OracleConnection..cctor()" error message was thrown (policies for both ODAC 10.2 and 11 are exists in GAC (assembly), pointing to Oracle.DataAccess 11 from ODP 2x bin).
  So, How and which components can I check to ensure appropriate versions of ODP and Oracle Client were installed and application will be connected?
  Thank you in advance!

  Hi,
  You could check for the presense of Oracle.DataAccess.dll in the GAC. Bear in mind you'd also want to check the version and whether a policy files exists as well as a newer version + policy file will work too (but not without the policy file).
  That wouldn't confirm the install is valid and works though, and I don't know of a way you could easily check that, apart from perhaps simply trying to run a small exe that attempts a connection to the database.
  With respect to the type initializer exception, that occurs when ODP cant find the right oraops*.dll or oci.dll, usually due to the wrong one being found, but can also occur if one is not found at all. Quite often this is due to the application including ODP in its bin directory rather than letting ODP get picked up out of the gac. Prior to 10.2.0.2.20, ODP loads the dependencies based in PATH so multiple homes can cause it as well. 10.2.0.2.20 and higher ODP loads dll's based on DLLPATH registry entry.
  Hope it helps,
  Greg

• How to settle qty to material and costs to cost center?

  Hi,
  We have a requirement to settle the quantity part of the production order to a non-valuated material and the costs part of the production order to a cost center.
  Our question is as follows :-
  1) During GR to inventory will the production order's costs balance remain as it is (since the material is a non-valuated material) so that it can be settled to a cost center (as a variance) during settlement? We expect only the quantity to be updated in the material master and not the costs during GR.
  If the above does not work then in plan B, we can still use a valuated material and set the standard price to zero so that the full order balance will still remain in the production order so that we can settle it as a variance to a cost center.

  in Standard SAP the cost and the quantity will be updated in the material master while making GR.