| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: listener for external procedure
Hi David,
First of all, I gathered this information from the 2nd Metalink hit when I searched for "listener extproc security" in less than 2 minutes. This list is a great resource, but it works best when some attempt has been made through traditional channels.
Your SysAdmin is probably referring to Oracle Security Alert #57. A patch is available (see below). Apply the patch listed in the Patch Availability Matrix, or perform the steps required listed in the Workaround section.
HTH.
Stephen
---cut from metalink ---
If the PL/SQL EXTPROC functionality is required in your Oracle installation, there are 5 steps that must be taken in order to protect against the potential security vulnerability identified above.
Do not specify any EXTPROC specific entries in the configuration files of the Oracle Listener for the database.
Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address only.
If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using. Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged OS user (e.g., "nobody" on Unix). On Windows platforms, run the Oracle Net Listener process as an unprivileged user and not as the Windows LOCAL SYSTEM user. Give this user the OS privilege to "Logon as a service."
2. If you have configured the Oracle Listener for PL/SQL EXTPROC with a TCP protocol address, modify the EXTPROC specific entry in $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for the new Oracle Listener.
3. If you have configured the Listener for PL/SQL EXTPROC with a TCP protocol address, ensure that the connections to this Oracle Listener can only originate from the hosts that need access to EXTPROC by doing the following.
Use the Oracle Net Services feature called "valid node checking" to
allow or deny access to Oracle Server processes from network clients
with specified IP addresses. Set the following parameters in
$ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA
($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases)
to enable the valid node checking feature:
tcp.validnode_checking = YES
tcp.invited_nodes = {list of IP addresses}
tcp.excluded_nodes = {list of IP addresses}
The first parameter turns on the valid node checking feature. The latter two parameters respectively specify the IP addresses that are permitted to make network connections and those that are prohibited from making network connections to the Oracle Server processes.
Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A separate $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this Oracle Listener. You can store this file in any directory other than the one in which the database LISTENER.ORA and SQLNET.ORA files are located. Copy the LISTENER.ORA with the configuration of the Oracle Listener for PL/SQL EXTPROC into this other directory as well. Before starting the Oracle Listener for PL/SQL EXTPROC, set the TNS_ADMIN environment variable (or Windows Registry parameter) to specify the directory in which the new configuration files for PL/SQL EXTPROC are stored.
4. Ensure that the file permissions on separate $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644.
5. Change the password for any privileged database account, or for an ordinary user given administrative privileges that grant the ability to add packages or libraries and access system privileges in the database (such as CREATE ANY LIBRARY), to a strong, meaningful password, different from the default that is provided during the initial installation of Oracle.
Lock and expire all other accounts that are not being used in the
database. Read Section 2 of the "Oracle9i Security Checklist" available
on OTN at
http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf
for details.
>>> davidb158_at_hotmail.com 03/19/04 09:52AM >>>
Hi List,
I posted a message on this topic a few days ago. I did not receive any
reply due to my e-mail system issue. So I post it again.
We would like to use InterMedia searching text content against a clob
field.
In order to create domain index for InterMedia, we have to configure
listener for external procedure. But our system administrator says
that it
will open a security hole if we do this. Currentely we are running
Oracle
8.1.7. Does any one know if this issue has been fixed in 8.1.7? Is
there
other way to do text searching instead of InterMedia?
Thanks in advance for any inputs or forwarding previous replies.
ESPN. http://msn.espn.go.com/index.html?partnersite=espn
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Sat Mar 20 2004 - 13:28:33 CST
 |
 |