Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?

From: Martin Berger <martin.a.berger_at_gmail.com>
Date: Tue, 8 May 2012 18:56:59 +0200
Message-ID: <CALH8A92GRjpmWgMHffOc0694AwcLpNRR2gFrkvrJD+zqk_-7Vw_at_mail.gmail.com>



Dana,

yes, at the moment you make sure DST= _only_ points to the hosts which are expected to serve SRV, you are protected. In fact there is a little hole, where someone hijacks the DB-Server host and instead of attacking the DB directly hijacking the CMAN. But I'd say in this case there are bigger problems than CMAN.

In the Note mentioned "node1" is the "good one" and "node2" the "hijacker". If you want to save a CMAN which serves a service from a RAC, you should add all Listener-IPs of this RAC. (I'd guess only the hostname-VIP are enough, but I never tested this into details).

I'd say 12880299 is not needed for CMAN at all. if your OID has it's own listener, apply it in the home for this listener.

hth
 Martin

On Tue, May 8, 2012 at 5:10 PM, dnrg <dananrg_at_yahoo.com> wrote:
> Thanks Martin. Based on what you said, your blog entry, and MOS ID
> 1455068.1, I believe we may already protected. Unless I'm not understanding
> things correctly. Does the mere presence alone of one or more CMAN rules
> routing traffic to specific instances rule out any hijacking? For example,
> we have rules for each instance having the following form:
>
>  (rule=
>     (src=*)
>     (dst=<host containing oracle database of interest)
>     (srv=<fully qualified service name of instance>)
>     (act=accept)
>
> The Node 1 and Node 2 verbiage in the MOS note I don't fully understand.
> What does it mean to have more than one "node" in this context? Some RAC
> tie-in? Failover / multiple CMAN instances? (we have a few).
>
> I have a follow-on question; not sure if this should be a reply to other
> pre-existing posts on this vulnarability or create a new one. Any
> suggestions?
> Anyway, I'm trying to apply patch 12880299 to an 11.2.0.3 Linux-x86 box used
> only for CMAN and OID. There is no ASM / Grid Infrastructure. The host has
> both a "client home" and a "db home". And the listener runs out of the
> client home. On page 1 of the READ ME, Product Patched lists "RDBMS, ASM."
> Again, no ASM here.
>
> So my question is this:
>
> Do I apply the patch only to the "client home" since that's where the
> listener runs from? Or would it also be necessary to apply the patch again
> to the 11g database home?
>

--
http://www.freelists.org/webpage/oracle-l
Received on Tue May 08 2012 - 11:56:59 CDT

Original text of this message