Oracle FAILSAFE and CVE-2012-1675

Similar Messages

• TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

  Hi,
  I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
  Can you guys please advise.
  Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
  Oracle Security Alert for CVE-2012-1675
  Thanks

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• Oracle Security Alert for CVE-2012-1675

  Hi,
  I want to know more about recent release "Oracle Security Alert" : http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Document available in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Fix is about Class of Secure Transport (COST). I need to know about elaborate steps to find out whether this change is need to apply to my databases or not.
  About my DBs : 10.2.4 , AIX, Nondefault Listener, Shared env , non RAC, local_listener is null & running in pfile.
  Thx,
  Gowin.

  Hello;
  Apply it. Very clean. Simple. No outage on Non-RAC. Biggest Impact is listener stop and start. Took about 3 minutes per server.
  Tested today and had zero issues. ( Assumed you understood a CONNECT was part of the test ). Zero issues.
  Had a thread on this here a few days ago :
  Oracle TNS Poison vulnerability
  See Oracle Support Note 1453883.1 for additional information.
  Best Regards
  mseberg
  With all due respect this isn't very hard. Make a decision.
  Edited by: mseberg on May 2, 2012 7:13 AM

• Oracle TNS Poison vulnerability - CVE-2012-1675

  Oracle announced a zero day vulnerability today - http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Looks like a man in the middle attack.
  For CF8 or CF9, can the native oracle driver be configured to use SSL/TLS?

  Rather than attempting to patch something without official patches and potentially breaking your license to use it, I suggest disabling listener dynamic registration and configuring a static local_listener parameter within your XE database.  The TNS poison vulnerability relies on dynamic listener registration, and by disabling it we should no longer have risk from this vulnerability.

• April 2012 CVE-2012-1675 sercuity alert - issues

  Thanks for taking my questions.
  We are windows 11g (non rac) The April Security Patche CVE-2012-1675 ID: 1453883.1
  This fix isn't working for me. STEP 4) Replace the tcp address in the database ….. errors.
  I did some more digging and found they updated the doc ID: 1453883.1 to include TCP but the first step is “OBTAIN AND APPLY THE PATCH FOR BUG:12880299. I can’t find this patch or bug.
  Has anyone tackeled this fix and got it to work?
  Thanks,
  Kathie

  Thanks everyone for the helpful information!! I sometimes have a real difficult time searching for stuff in Oracle Support so the forum is my reality check:)
  Anyway, I did get the ICP method to work. I think the entries in the network.ora file had to be in a specific order. After I changed the IPC entry before the TCP entry the change applied as excpected.
  My understanding is that either the IPC or the TCP change will protect you. If anyone knows something other than that please let me know.
  Thanks again for the help!
  Kathie

• How to validate CVE-2012-1675 and COST restriction

  Hello,
  I am curious to know about the test case to validate the COST and CVE 1675 implementation. I have 3 node cluster node running on 11.2.0.3.0 with SCAN. i tried to search in metalink but couldn't find any document which states about the test/validation case. Please help.
  Thanks,
  Pankaj

  I am not sure if you looking for steps to reproduce the vulnerability or just see what is the impact if its not patched.
  Here is a demo https://www.youtube.com/watch?v=hE3-AkxSX3w of what happens if patch is not applied.
  Hope this helps.
  Regards,
  NC
  Edited by: NC on Mar 28, 2013 2:40 AM

• How to address CVE-2012-1675 with Oracle Express 11.2.0.2 release june 2014? No access to patches via the Oracle Critical Patch Update page..

  Where do we find the patch for Express user downloads? The Oracle Critical Patch Update site requires a valid support license.

  XE is not patch-able - there is no support available.

• IOracle Security Alert for CVE-2012-1675 Released April 30th, 2012.

  Kinldy let me know how ill I down load the patch for this . Currently we have Oracle DB on versions 10.2.0.4, 10.1.0 , 11.2.0.3 in RAC. Do we need to apply the patch for all these databases. I have no applied any patches after Oracle is installed , Can I update this patch directly or i need to apply the pervious patches before this
  I am a beginner and not a DBA , but i need to support the db also as part of application suppot. Kiindly help

  Patches are only available at Oracle's support site - https://support.oracle.com - access to which is granted only if you have a support contract with Oracle.
  After you download the patch(es), follow the steps in the README
  HTH
  Srini

• TNS Listener Poison Attack - CVE-2012-1675

  I have few databases from Oracle 9i to Oracle 11g. Many are standalone instances,and few RAC instances.
  My questions are
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  2) If we dont configure "remote_listener", is it applicable for us?
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  Regards,
  Sarayu

  Sarayu;
  1) For standalone instances, will the following setting in listener.ora file and restarting listener addresses this vulnerability? Or is there any thing else we need to do? We want to avoid any patches now and see if we can resolve this quickly.
  DYNAMIC_REGISTRATION_LISTENER = off
  A: No you need to add another setting : ( (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER)) )
  Example :
  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = your hostname)(PORT = 1521))
        (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    Plus for each database
  alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;
  stop and start the listener
  Read note 1453883.1
  Oracle 9 - No idea
  2) If we dont configure "remote_listener", is it applicable for us?
  A: Yes you should still fix your listener.ora
  3) For RAC instances, I can follow the steps mentioned in
  Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC [ID 1340831.1]
  A: Yes.
  Best Regards
  mseberg
  Aman - Great memory!

• Listener Poison Attack (CVE-2012-1675).

  I want to fix Listener Poison Attack for non RAC system, but I can't open the url https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Can someone get the note for me ? Thanks!

  Hi there,
  You posted this in the Application Express forum. At first glance, it looks like this issue is with the database listener - nothing directly to do with Application Express, really.
  Joel

• CVE-2012-4681

  I am on solaris 5.10, have java 6.17 , Apps version is 11.5.10.2, and Db is 10g, just one simple question, is java 6 update 35 compatible with my mentioned system.

  A google search on "CVE-2012-4681"
  found the following as the second hit, in 0.15 seconds:
  https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
  It seems to be the announcement for the alert that you should have read before posting.
  The first paragraph states:
  Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers. These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547. These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software. (emphasis added)Perhaps you should use your service contract credentials a log a SR to speak with Oracle Technical Support and get the rest of your questions cleared up.
  These forums are NOT a way to contact Oracle directly. They are end-user to end-user discussion forums.

• Oracle FailSafe on Windows Cluster - Oracle Service Question

  I'm running DB10G R2 on a 2 node Windows 2003 Server cluster.
  I have configured Oracle FailSafe and the failover 'appears' to be working correctly but I'm confused as to what/how the DB service works.
  When I switch between nodes the OracleService<SID> remains at Started on the node I'm switching from, the service on the newly 'active' node never starts. Is this expected behaviour?
  The database is accessible from the clients but I'm guessing (am unable to test/prove) that if I power down node1 it won't be.

  Why can't you test/prove what happens when you power down node1? A critical part of every cluster implementation should be to perform failure testing.
  It's been a while since I've worked with Failsafe, but I do remember that all management is performed through the cluster manager application (can't remember what it is called exactly--the MSCS cluster admin tool). You shouldn't have to worry about the services. You should be able to relocate the database, it's storage (drives) and its associated IP address to the other cluster node and verify via the MSCS app that all services are running on that other node. At that point, the original node (node1 in this case) can be powered off, rolled out of the building, whatever you want--database should remain available on node2.
  Dan

• Mapping of CAN and CVE to Oracle CPU

  There is a page on OTN that maps public security vulnerability findings (CANs and CVEs) to Oracle CPUs. The page states that it includes all CPUs up to January 2008. However, it appears the table has not been updated since January 2007.
  Here is a link to the page:
  http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html

  There have been no vulnerability fixes released against open source products via Critical Patch Updates for over one year. The table is up to date. There have been many Critical Patch Update fixes for proprietary software, of course, but we do not reference CVE entries in this or any other documentation for proprietary software vulnerabilities.
  Bruce

• CVE-2014-6271 and CVE-2014-7169 / Oracle Linux

  Hi ,
  patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
  from where i can get this patch, its not availible on support.oracle/patches !!
  Thanks,
  Thamer

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

• Oracle Failsafe error and logs

  Since I don't see any oracle failsafe forum I post here. Please let me know it this is wrong o there is a better section.
  Sometimes when I try to take offline my instance I receive this error:
  FS-10890: Oracle Services for MSCS failed during the offline operation
  FS-10013: Failed to take the cluster resource ORAWHITE offline
  FS-10728: Resource ORAWHITE timed out trying to go offlineThis is very strange since looking the alert log I see that the shutdown takes less than one minute while the timeout is 3 minutes..
  Failsafe has any logs that can be investigated?
  Hope you can help me.
  Cheers
  Adriano

  user10388158 wrote:
  Hi,
  i need a little help..
  for some reason, my prodcution listerner crashes.. but when looking into the logs of my listener, no error is shown.
  even if i check the time stamp, there is no error of the log.forgive me, but I need to ask a simple question.
  what proof exists that outage was not an Operating System crash?
  if the system crashed, then the Oracle listener would no longer be available to log any connection requests.
  Handle:     user10388158
  Status Level:     Newbie
  Registered:     Mar 10, 2010
  Total Posts:     25
  Total Questions:     9 (8 unresolved)
  why do you waste time here when your questions RARELY get answered?