Oracle 8i Listener Vulnerability

Similar Messages

• Oracle TNS Listener password

  Where do I specify the tns listener password in CF MX. I have
  added a password to the oracle TNS listener service. I need to get
  MX to pass this password to the oracle server. Is there a place to
  do this.
  cfk

  Here is what I was given from our security group here at
  USDOJ:
  We are using 9i,
  Server Product ColdFusion MX
  Version 7,0,2,142559
  Edition Enterprise
  Serial Number
  Operating System Windows 2003
  OS Version 5.2
  Description:
  A Oracle TNS Listener has been detected on the host with
  login security disabled (SECURITY=OFF).
  Observation:
  Oracle is an enterprise level database which is available on
  many different platforms.
  A configuration vulnerability exists within the Oracle TNS
  Listener which allows remote unauthenticated access. The TNS
  Listener accepts a clients request and establishes a TNS
  (Transparent Network Substrate) data connection between the client
  and the service. A TNS connection allows clients and servers to
  communicate over a network via a common API, regardless of the
  network protocol used on either end (TCP/IP, IPX, etc). A default
  installation of the TNS listens on TCP port 1521.
  Vulnerable Systems:
  Oracle 8i
  Oracle 9i
  Recommendation:
  It is recommended to only allow certain IP's or subnet ranges
  to access the TNS listener. This can be done by adding a rule in
  the firewall. We also recommend that you enable a password for the
  TNS listener within Oracle

• Oracle service, Listener and http server does not start automatically

  Hello,
  I have Oracle 9i release 2 installed on Unix HP box if system restart in case of power failure the Oracle service, Listener and http server does not start automatically, is there any ready reference available to check what's wrong is happening(I don't have knowledge of Unix).
  Thanks, Khawar.

  Hi Rajesh,
  Thanks for reply, I will check this link and will be back if facing problem.
  Regards, Khawar.

• " Starting Oracle Net Listener......."  Hangs  while installing vm manager

  Ive taken all defaults read install guide , checked availability of ports and made sure I have libaio.
  I've reinstalled on two separate machines and everytime install fails after I accept defaults. Logs don't show anything. ./oracle-xe configure is the only thing in the log.
  If I run this again it fails or hangs in the same place. ?????Im not sure where the netlistener is otherwise Id try to manually install?start ?
  "Starting Oracle Net Listener"

  I have noticed the same thing on my install where it hangs on starting the listener. BUT. .. If you hit enter while it is hanging it will continue to the next step of starting the db. . It seems like it is waiting for some input but not displaying that on the screen. I would not suspect any input from a start listener. .This is my experience. Any others see this?

• Cache and Load Balancing with Oracle APEX Listener

  Hi,
  I intend to use only HTTP access.
  How to implement a Cache and Load Balancing with the Oracle APEX Listener?
  Is it possible to do with the the standalone running APEX Listener?
  Thanks by advance for any tips/documentation/references.
  Kind Regards.

  Hi,
  I think this question is best asked in the APEX Listener forum:
  ORDS, SODA & JSON in the Database
  Kind regards
  Sandro

• Cache and Load Balancing for the Oracle APEX Listener

  Hi,
  I intend to use only HTTP access.
  My database is Oracle 11gR2, SE, 32 bit.
  How to implement a Cache and Load Balancing with the Oracle APEX Listener?
  Is it possible to do with the the standalone running APEX Listener?
  Thanks by advance for any tips/documentation/references.
  Kind Regards.

  Error. To be closed.

• Cache and Load Balancing for Oracle APEX Listener

  Hi,
  I intend to use only HTTP access.
  The database I use is Oracle11gR2 SE 32bit.
  How to implement a Cache and Load Balancing with the Oracle APEX Listener?
  Is it possible to do with the the standalone running APEX Listener?
  Thanks by advance for any tips/documentation/references.
  Kind Regards.

  Error. To be closed.

• Oracle 10g listener standard

  Hi all,
  I am trying to define Oracle 10g listener standard in my organization.
  We have 60 Oracle 9i databases in an AIX node. We are planning to upgrade these database to 10g. During upgrade we want to configure the listeners according to our standard.
  Now we are not using dynamic registration for Oracle 9i databases. So there are 60 seperate listeners that always try to establish connections to the database even if the database is not up. This leads to server performance problems when the applications overload the server with connection attempts when there are hundreds of processes waiting to connect.
  After upgrade, we want to make all databases register with a listener for performance problems. But one listener per node can be too risky, maybe we can register a database with more than one listener.
  Also, there are some reasons for shutting the listener down:
  1. Cold backup
  2. Apply patches
  If we use only one listener per node, for cold backup we would shut down the listener and then no clients would connect to the databases.
  After these explanation, I am wondering if we can mix both reducing the number of the listeners for each node and using load balance for all databases.
  Do you hane any ideas, suggestions?
  Thanks,
  Fatma

  With Oracle 10g and RMAN there is no longer any reason to be doing cold backups.
  I'd run one listener per node. If this is too risky than a single database instance is also too risky and you should be investigating other high-availabilty solutions. RAC isn't always the answer.
  Connection manager might also be useful in your environment.
  Cheers,
  Colin

• HELP! Oracle FailSafe - Listener fails when adding standalone database

  Well, I have a cluster of two nodes with the following specs:
  (1) an Oracle 10g database each
  (2) Microsoft Cluster Service (MSCS)
  (3) Windows Server 2003 64-bit edition
  (4) Intel Itanium Processor
  (5) Oracle Failsafe 3.3.3 for Windows 2003 64-bit
  The 64-bit Oracle Failsafe doesn't come with Oracle Failsafe Manager, so I used a Failsafe Manager remotely from another clustered servers. The version is also 3.3.3, but it's running on a Windows 2000 Advanced Server.
  Well, after connecting to the 64-bit cluster, I added the standalone database to a Cluster Group. There are two cluster groups on the Server:
  (1)"Cluster Group" (the default cluster group created by MSCS); containing an IP address, a network name, Oracle Cluster Services, and the Quorum hard drive.
  (1)"ORACLE DB" A cluster gropu I created for the database; containing another IP address, a network name for the IP address, and every hard drive volumes of the database files.
  The database currently resides on the Node 2 (because I created it there). I have successfully verified the database (using "Verify Standalone Database" option). BUT when I added the database into the cluster group ORACLE DB, it failed with the following message:
  23 20:48:48 ** ERROR : FS-10066: Failed to start Windows service OracleOraDb10g_home1TNSListener for the Oracle Net listener
  When I opened the Windows Event Viewer, apparently the Listener Service had started, but it soon "terminated unexpectedly":
  At first, the Listener Service appeared to be started:
  But this is what happened next; it seemed the Listener Service terminated abruptly after entering the running state for a very short time:
  What happened? What should I do? What is the problem? Many thanks!
  PS: the following are the messages from both Verifying Standalone Database and Adding Standalone Database. The verification was successfull, but I just failed to add the database:
  >
  Versions: client = 3.3.3 server = 3.3.3 OS =
  Operation: Verifying standalone database "PAYMENT"
  Starting Time: May 11, 2005 19:50:11
  Elapsed Time: 0 minutes, 4 seconds
  1 19:50:11 Starting clusterwide operation
  2 19:50:11 FS-10915: POSDB2 : Starting the verification of standalone resource PAYMENT
  3 19:50:11 FS-10371: POSDB2 : Performing initialization processing
  4 19:50:11 FS-10371: POSDB1 : Performing initialization processing
  5 19:50:12 FS-10372: POSDB2 : Gathering resource owner information
  6 19:50:12 FS-10372: POSDB1 : Gathering resource owner information
  7 19:50:12 FS-10373: POSDB2 : Determining owner node of resource PAYMENT
  8 19:50:12 FS-10374: POSDB2 : Gathering cluster information needed to perform the specified operation
  9 19:50:12 FS-10374: POSDB1 : Gathering cluster information needed to perform the specified operation
  10 19:50:12 FS-10375: POSDB2 : Analyzing cluster information needed to perform the specified operation
  11 19:50:12 FS-10378: POSDB2 : Preparing for configuration of resource PAYMENT
  12 19:50:12 ** WARNING : FS-10247: The database parameter file H:\PAYMENT\admin\pfile\pfilePAYMENT.ora specified for this operation will override the parameter file value in the registry
  13 19:50:12 ** WARNING : FS-10248: At registry key SOFTWARE\ORACLE\KEY_OraDb10g_home1, value of ORA_PAYMENT_PFILE is H:\PAYMENT\admin\pfile
  14 19:50:12 FS-10916: POSDB2 : Verification of the standalone resource
  15 19:50:12 > FS-10341: Starting verification of database PAYMENT
  16 19:50:13 > FS-10342: Starting verification of Oracle Net configuration information for database PAYMENT
  17 19:50:13 > FS-10496: Generating the Oracle Net migration plan for PAYMENT
  18 19:50:13 > FS-10491: Configuring the Oracle Net service name for PAYMENT
  19 19:50:13 > FS-10343: Starting verification of database instance information for database PAYMENT
  20 19:50:13 >> FS-10347: Checking the state of database PAYMENT
  21 19:50:13 >> FS-10425: Querying the disks used by the database PAYMENT
  22 19:50:15 > FS-10344: Starting verification of Oracle Intelligent Agent for database PAYMENT
  23 19:50:15 > FS-10345: Verification of standalone database PAYMENT completed successfully
  24 19:50:15 FS-10917: POSDB2 : Standalone resource PAYMENT was verified successfully
  25 19:50:15 FS-10378: POSDB1 : Preparing for configuration of resource PAYMENT
  26 19:50:15 FS-10916: POSDB1 : Verification of the standalone resource
  27 19:50:15 > FS-10341: Starting verification of database PAYMENT
  28 19:50:15 > FS-10342: Starting verification of Oracle Net configuration information for database PAYMENT
  29 19:50:15 > FS-10496: Generating the Oracle Net migration plan for PAYMENT
  30 19:50:15 > FS-10491: Configuring the Oracle Net service name for PAYMENT
  31 19:50:15 > FS-10343: Starting verification of database instance information for database PAYMENT
  32 19:50:15 > FS-10344: Starting verification of Oracle Intelligent Agent for database PAYMENT
  33 19:50:15 > FS-10345: Verification of standalone database PAYMENT completed successfully
  34 19:50:15 FS-10917: POSDB1 : Standalone resource PAYMENT was verified successfully
  35 19:50:15 The clusterwide operation completed successfully, however, the server reported some warnings.
  >
  Versions: client = 3.3.3 server = 3.3.3 OS =
  Operation: Adding resource "PAYMENT" to group "ORACLE DATABASE"
  Starting Time: May 11, 2005 20:48:43
  Elapsed Time: 0 minutes, 7 seconds
  1 20:48:43 Starting clusterwide operation
  2 20:48:44 FS-10370: Adding the resource PAYMENT to group ORACLE DATABASE
  3 20:48:44 FS-10371: POSDB2 : Performing initialization processing
  4 20:48:44 FS-10371: POSDB1 : Performing initialization processing
  5 20:48:45 FS-10372: POSDB2 : Gathering resource owner information
  6 20:48:45 FS-10372: POSDB1 : Gathering resource owner information
  7 20:48:45 FS-10373: POSDB2 : Determining owner node of resource PAYMENT
  8 20:48:45 FS-10374: POSDB2 : Gathering cluster information needed to perform the specified operation
  9 20:48:45 FS-10374: POSDB1 : Gathering cluster information needed to perform the specified operation
  10 20:48:45 FS-10375: POSDB2 : Analyzing cluster information needed to perform the specified operation
  11 20:48:45 >>> FS-10652: POSDB2 has Oracle Database version 10.1.0 installed in ORADB10G_HOME1
  12 20:48:45 >>> FS-10652: POSDB1 has Oracle Database version 10.1.0 installed in ORADB10G_HOME1
  13 20:48:45 FS-10376: POSDB2 : Starting configuration of resource PAYMENT
  14 20:48:45 FS-10378: POSDB2 : Preparing for configuration of resource PAYMENT
  15 20:48:46 FS-10380: POSDB2 : Configuring virtual server information for resource PAYMENT
  16 20:48:46 ** WARNING : FS-10247: The database parameter file H:\PAYMENT\admin\pfile\pfilePAYMENT.ora specified for this operation will override the parameter file value in the registry
  17 20:48:46 ** WARNING : FS-10248: At registry key SOFTWARE\ORACLE\KEY_OraDb10g_home1, value of ORA_PAYMENT_PFILE is H:\PAYMENT\admin\pfile
  18 20:48:46 > FS-10496: Generating the Oracle Net migration plan for PAYMENT
  19 20:48:46 > FS-10490: Configuring the Oracle Net listener for PAYMENT
  20 20:48:46 >> FS-10600: Oracle Net configuration file updated: F:\ORACLE\PRODUCT\10.1.0\DB_1\NETWORK\ADMIN\LISTENER.ORA
  21 20:48:46 >> FS-10606: Listener configuration updated in database parameter file: H:\PAYMENT\admin\pfile\pfilePAYMENT.ora
  22 20:48:47 >> FS-10605: Oracle Net listener Fslpos created
  23 20:48:48 ** ERROR : FS-10066: Failed to start Windows service OracleOraDb10g_home1TNSListener for the Oracle Net listener
  24 20:48:48 ** ERROR : FS-10065: Error trying to configure the Oracle Net listener
  25 20:48:48 > FS-10090: Rolling back Oracle Net changes on node POSDB2
  26 20:48:50 ** ERROR : FS-10784: The Oracle Database resource provider failed to configure the virtual server for resource PAYMENT
  27 20:48:50 ** ERROR : FS-10890: Oracle Services for MSCS failed during the add operation
  28 20:48:50 ** ERROR : FS-10497: Starting clusterwide rollback of the operation
  29 20:48:50 FS-10488: POSDB2 : Starting rollback of operation
  30 20:48:50 FS-10489: POSDB2 : Completed rollback of operation
  31 20:48:50 ** ERROR : FS-10495: Clusterwide rollback of the operation has been completed
  32 20:48:50 Please check your Windows Application log using the Event Viewer for any additional errors
  33 20:48:50 The clusterwide operation failed !

  umm... help? Anyone?

• Oracle DB listener traffic

  Hello all,
  I work for the information security group of my company, and I'm trying to get some information about some traffic we've seen on the network.
  We've seen connections to port 1521 on our server running Oracle 9 (I believe this is the default port for the Oracle DB listener according to IANA) but we also see a second connection occurring right after the connection to port 1521 on a different port.
  I've noticed that there are usually 2 pings targeting the server, then a connection to port 1521 and then another connection to some apparently-arbitrary registered port. We usually see three of these connection pairs, and then we see the ping and more connections repeat in a similar fashion. To illustrate:
  PING
  PING
  TCP connection: port 1521
  TCP connection: port 4564
  TCP connection: port 1521
  TCP connection: port 4568
  TCP connection: port 1521
  TCP connection: port 4572
  <repeating>
  Is this normal for these TNS connections to occur like this with a secondary port? I contacted the DB admin, however he didn't seem too sure about the secondary connections. I tried to find some documentation about the connections, however I couldn't seem to find any information about it.
  Please pardon my ignorance in the matter since this would appear to be a "nooby" question. My knowledge of databases is little (and my knowledge of Oracle is non-existant).
  Best Regards,
  Ryan

  This is absolutely normal and it is the default behaviour for the listener.
  When the listener catches a request at its listening port (1521-default) it only process the request to launch an oracle server against the rdbms (spawn), once the oracle server process has been created listener hands off (bequeath) the connection to it, so at this time the listener sits back to its listener port waiting for incoming requests and it doesn't care about the connection once the client has established communication with the rdbms through the oracle server process, which uses a randomly assigned port.
  There is an special configuration which uses the same listener port for read and write, but this configuration is used only on firewall not certified to handle oracle connections or when there are other security restrictions. But it is seldom used due to listener performance.
  ~ Madrid

• Failed to start Oracle Net Listener using

  hi
  I ' trying to configure oracle 10g in ubuntu machine. I got the following errors like
  Starting Oracle Database 10g Express Edition Instance.
  Failed to start Oracle Net Listener using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr and Oracle Express Database using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus
  when ever i try to start oracle,i have got above issue

  ya .... i hav found listener.log file.
  Also when i try to run this cmd # sqlplus / as sysdba
  i got following error like
  Error 46 initializing SQL*Plus
  HTTP proxy setting has incorrect value
  SP2-1502: The HTTP proxy server specified by http_proxy is not accessible
  also when i stop the listener and try try to restart it again ....i got error message like
  Starting /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr: please wait...
  TNSLSNR for Linux: Version 10.2.0.1.0 - Production
  NL-00280: error creating log stream /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/log/listener.log
  NL-00278: cannot open log file
  SNL-00016: snlfohd: error opening file
  Linux Error: 13: Permission denied
  Listener failed to start. See the error message(s) above...

• Failed to start Oracle Net Listener

  Hi ,
  can any body help me regarding failing of listener.
  Starting Oracle Database 10g Express Edition Instance.
  Failed to start Oracle Net Listener using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr and Oracle Express Database using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus.
  iam using Fedore core4 installing oracle10g Express editon ,on standalone system,Below are the logs
  sqlplus system
  SQL*Plus: Release 10.2.0.1.0 - Production on Mon Aug 31 13:21:39 2009
  Copyright (c) 1982, 2005, Oracle. All rights reserved.
  Enter password:
  ERROR:
  ORA-01034: ORACLE not available
  ORA-27101: shared memory realm does not exist
  Linux Error: 2: No such file or directory
  Enter user-name:
  /etc/init.d/oracle-xe restart
  Shutting down Oracle Database 10g Express Edition Instance.
  Stopping Oracle Net Listener.
  Starting Oracle Net Listener.
  Starting Oracle Database 10g Express Edition Instance.
  Failed to start Oracle Net Listener using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr and Oracle Express Database using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus.
  [root@localhost ~]#
  LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 31-AUG-2009 13:26:27
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Starting /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr: please wait...
  TNSLSNR for Linux: Version 10.2.0.1.0 - Production
  System parameter file is /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/admin/listener.ora
  Log messages written to /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/log/listener.log
  Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC_FOR_XE)))
  Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)))
  TNS-12545: Connect failed because target host or object does not exist
  TNS-12560: TNS:protocol adapter error
  TNS-00515: Connect failed because target host or object does not exist
  Linux Error: 11: Resource temporarily unavailable
  Listener failed to start. See the error message(s) above...
  Please help

  I need help please:
  I have installed Oracle 10g Express Edition without struggles ( Little curious about the fact
  that the directory /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/config/log/ is empty).
  % /etc/init.d/oracle-xe configure --> worked good without default settings.
  % /etc/init.d/oracle-xe start --> is silent : No verbose or messages in term.
  I can't connect to server http://localhost:8080/htmldb or http://localhost:8080/apex.
  I uninstalled and re-installed Oracle 10g... Now the command:
  % /etc/init.d/oracle-xe configure --> Oracle is already configured.
  But the connection to the server always fails.
  My environment has all the following:
  % uname -r
  2.6.30.5-43.fc11.i686.PAE
  % echo $ORACLE_HOME
  /usr/lib/oracle/xe/app/oracle/product/10.2.0/server
  % echo $ORACLE_SID
  XE
  % echo $PATH
  /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin:/usr/lib/qt-3.3/bin:/usr/kerberos/sbin.....
  BUT I also had the responses:
  % /etc/init.d/oracle-xe restart
  Shutting down Oracle Database 10g Express Edition Instance.
  Stopping Oracle Net Listener.
  Starting Oracle Net Listener.
  Starting Oracle Database 10g Express Edition Instance.
  Failed to start Oracle Net Listener using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr and Oracle Express Database using /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/sqlplus.
  %sqlplus
  Error 6 initializing SQL*Plus
  Message file sp1<lang>.msb not found
  SP2-0750: You may need to set ORACLE_HOME to your Oracle software directory
  % /etc/init.d/oracle-xe status
  /bin/su: user oracle does not exist
  % lsnrctl start { Messages below are my translations into english, sorry ;-) }
  LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 21-FEB.-2010 18:31:24
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  Launch /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin/tnslsnr: Please wait...
  TNSLSNR for Linux: Version 10.2.0.1.0 - Production
  NL-00280: Erreur de création de la chaîne de journalisation /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/log/listener.log
  NL-00278: Impossible to open journalisation file
  SNL-00016: snlfohd : File opening error
  Listening process failure. Read error messages above...
  I wish someone here gives some tips (with the commands, I am an apprentice); I dont know
  where to begin my checks.
  Thx.

• How to Start oracle web listener 'www'

  I was able to start 'admin' listener successfully. However I am not able to start the www listener. It gives the message of "Unable to startup Oracle Web Listener 'www' and "Check NT Event log".
  the NT Event Log says "The description for Event in Source Oracle_Web_Listener could not be found.It contains the following insertion string: A failure occured. (Address is already in use)When assigning a port (and then it gave me the domain name and port).
  Please advise on how I should start the www listener. Thanks

  Janilson wrote:
  I don't know which oracle version you are using but, I use the Express version (Oracle-xe)
  In order to configure it I run
  sudo /etc/rc.d/oracle-xe configure
  After configure oracle, I start oracle service
  sudo /etc/rc.d/oracle-xe start
  I don't know if it helps sad
  I don't see any thing in rc.d. I use systemctl to start daemons.
  stee1rat wrote:What command do you use to run it? And what are your environment variables?
  lsnrctl start

• Do I have to make Oracle XE listener working before I install Oracle APEX?

  Hi, guys:
  I have a question: Do I have to make Oracle XE listener working before I install Oracle APEX 4.2? I have installed Oracle XE 11g on windows 7, however, I got problem to run Oracle XE listener, though Oracle XE itself is running. Since my purpose is to run Oracle APEX I was wondering if I have to make Oracle XE listener working at first.
  Thanks for your comments!
  Sam

  Hi, Jarola:
  Thanks for your help! My supervisor asked us to install Oracle XE, OC4J, and APEX listener in our local PC (windows 7 64 bits). I guess his purpose is to train us to install APEX 4.2 eventually. I installed OC4J and APEX listener before without much problem; but I have difficulty to install Oracle XE on windows 7 64 bits version as so far Oracle XE only supports 32 bits windows. after I installed Oracle XE, I got these problems:
  #1 the Oracle XE itself is running, but XE listener cannot work, it always reports "the Oracle OracleXETNSListener service started and then stopped, some service stop automatically if they are not in use by other services or programs.",
  #2 It looks Oracle_home of XE conflicts with that of OC4J. I tried to set ORACLE_HOME as "C:\OC4J\oc4j_extended_101350;C:\oraclexe\app\oracle\product\11.2.0\server", but OC4J cannot find config file so I cannot start OC4J. it is messed up.
  #3 most of all, I was wondering if you could tell me the relationship among Oracle XE, OC4J, and APEX listener regarding installing APEX 4.2, are they all necessary to install APEX 4.2? if so, could you guide me to install these things with proper steps (say, which one should be installed first?)? any of your suggestion would be very appreciated! (I have tried two weeks without progress...)
  Sam
  Edited by: lxiscas on Nov 28, 2012 8:00 AM

• Oracle TNS Poison vulnerability

  Hello;
  I have an e-mail from our internal Security team warning me about this and providing this link as proof:
  http://isc.sans.edu/diary/Critical+Unpatched+Oracle+Vulnerability/13069
  Question:
  Is this something I should worry about? If yes why?
  All helpful comments welcome.
  Cooper

  Hi all,
  It seems that for non-RAC a simple workaround exists (see http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150.html) just by setting
  DYNAMIC_REGISTRATION = OFF (in listener.ora).
  * Can anyone confirm whether or not this works? And if yes, would it work in Oracle 9i? (I can not check it myself, Oracle.com leads me to http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1 (for non-RAC), but my Oracle.com account has not enough privileges.
  * And yes, I have checked the Oracle documentation (both 9i and 11g), but that does not really help
  In the documentation I do find a setting DYNAMIC_REGISTRATION _<listener_name> = ..., but not DYNAMIC_REGISTRATION = ...
  So I'm not sure if this setting actually exists, can anyone confirm?
  * And if the setting exists, I did it as below, is this correct, given an instance name XYX?
  Thanks in advance for your help!
  XYZ =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = ...)(PORT = 1521))
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
  SID_LIST_XYZ =
  (SID_LIST =
  (SID_DESC =
  (ORACLE_HOME = ...)
  (PROGRAM = extproc)
  (DYNAMIC_REGISTRATION = OFF)
  Thanks very much for your help?