Re: Oracle Security Alert for CVE-2012-1675 - 10g extended support

From: Paul Drake <bdbafh_at_gmail.com>
Date: Thu, 3 May 2012 10:34:45 -0400
Message-ID: <CAPptggXthOkQnnq7wOD8dfheDbB5Gz2SOF-EYPwJsBT83vA_ow_at_mail.gmail.com>



Lu,
The vulnerability that you refer to is in the Oracle TNS Listener. It is not specifically in the Oracle database server software executable, oracle.exe.
If you are entitled to an upgrade to the 11g R2 version of the database server software, you could download and install 11.2.0.2, apply the 11.2.0.2 p17 patch (CPUApr2012), apply the OC4J patch, copy your existing listener.ora, sqlnet.ora and tnsnames.ora files from the existing %ORACLE_HOME%\network\admin to the newly installed 11.2.0.2 home and set the parameter "SECURE_REGISTER_LISTENER = (IPC)" in the listener.ora and fire up an 11.2.0.2 listener.
You'll still need to add a description using the IPC protocol in the listener.ora if one doesn't already exist and populate the parameter local_listener in each of the databases respective spfiles.

You could even use the 11.2.0.3 patchset (again if you are so entitled).

This would not protect the existing 10.2.0.x databases from the other vulnerabilities that have been fixed since the terminal CPU for 10.2.0.x issued last July.
It would protect them from the vulnerability which this thread mentions.

hth.

Paul

On Thu, May 3, 2012 at 10:19 AM, Jiang, Lu <Lu.Jiang_at_umassmed.edu> wrote:

> Sorry that was my typo, thanks Dimitre for pointing out. Still could not
> find the patch for Windows platform. I have submitted a SR for this.
>
> We have couple of 10g databases and currently have no plan to upgrade
> them. The new patch requires Extended Support service for 10g databases.
> Does anyone know how much it would cost for the Extended Support?
>
> Thanks,
> Lu
>
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
> On Behalf Of Radoulov, Dimitre
> Sent: Thursday, May 03, 2012 4:28 AM
> To: Lu.Jiang_at_umassmed.edu
> Cc: oracle Freelists
> Subject: Re: Question on Oracle Security Alert for CVE-2012-1675
>
> On 02/05/2012 23:40, Jiang, Lu wrote:
> > Note 1453883.1 suggests to apply patch for bug 1288029. Only find the
> patch for Linux platform, Could not find anything for other platforms.
> Tried to search this bug from Bug Number or Bug Database on metalink,
> nothing returned. Will submit a SR for this once I get a chance.
>
> I believe the correct bug number is 12880299 (one more 9 at the end).
> I see the complete Oracle supported platform list on MOS.
>
>
> Regards
> Dimitre
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
http://www.completestreets.org/faq.html
http://safety.fhwa.dot.gov/ped_bike/docs/pamanual.pdf


--
http://www.freelists.org/webpage/oracle-l
Received on Thu May 03 2012 - 09:34:45 CDT

Original text of this message