Listener Vulnerabilities - how to address them
Date: Wed, 09 Apr 2008 17:19:59 +0100
Message-Id: <1207757999.3029.19.camel@comet.sequestor.lan>
Hi All,
Most of you are probably aware of the following document, or similar.
http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf
We support roughly 100 Oracle databases ranging from 8i to 10g, running on Windows and Unix (Solaris), mostly 9i.
The above documentation has been brought to our attention by one of our users. The questions being asked are:
Are we vulnerable?
If so, how do you propose to address that?
I'm still doing some investigation, thought I would see if someone here has:
- Come across this problem and sorted it
- Known about this problem, and taken it into account on installation of Oracle
- Decided that it's not as bad as it seems, and has disregarded it.
Initial reaction from our team is that setting passwords for the listeners would break backup scripts, apparently the listener is stopped for backups. Hardcoding passwords in these scripts is not really an option.
We are setting in place a plan for applying CPUs to the servers. But as I understand it, these vulnerabilities are not addressed by the CPUs.
Anyone?
-- S. Anthony SequeiraReceived on Wed Apr 09 2008 - 11:19:59 CDT
++
Ralph's Observation: It is a mistake to let any mechanical object realise that you are in a hurry.
++
-- http://www.freelists.org/webpage/oracle-l