RE: Oracle Security Alert for CVE-2012-1675 - 10g extended support
Date: Thu, 10 May 2012 16:34:18 -0400
Turnning dynamic_registration off workaround is supported if we don't care about dynamically registering instances :) The following is what I got from Oracle support, this is regarding our 10.2.0.3 EBS database. We don't recommend setting dynamic registration OFF. Allowing PMON to dynamically register an instance is considered Best Practice even in non-RAC installations.
The IPC workaround is the recommended solution for non-RAC installations.
Having said that, you can certainly turn off dynamic registration and it will protect your listener from this vulnerability. The setting is supported by Oracle.
From: Carol Dacko [mailto:dackoc_at_gmail.com]
Sent: Thursday, May 03, 2012 5:37 PM
To: Allen, Brandon
Cc: oracle Freelists; Lu.Jiang_at_umassmed.edu; bdbafh_at_gmail.com Subject: Re: Oracle Security Alert for CVE-2012-1675 - 10g extended support
Our 10g databases use 10g listeners, our 11g databases, 11g listeners.
I have not tested yet to see if it protects the 10g listeners with that work around. That will be a task for tomorrow.
On Thu, May 3, 2012 at 2:50 PM, Allen, Brandon <Brandon.Allen_at_oneneck.com<mailto:Brandon.Allen_at_oneneck.com>> wrote: Thanks Carol, but the dynamic_registration_listener_name parameter appears to be undocumented in 10g (as far as I could tell) and therefore may not be fully supported. I found it here in the 11.2 doc:
But, couldn't find it anywhere in the 10.2 doc. I also found MOS doc 130574.1, which suggests using the dynamic_registration_listener_name parameter only in 11g and up and says that dynamic registration "can't be disabled in versions 10g and lower from the listener side". I haven't tested it myself yet, but from your info below, it sounds like the parameter does work in 10g, or are your 10g databases only using 11g listeners?
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>] On Behalf Of Carol Dacko
*THE FOLLOWING IS NOT APPLICABLE FOR RAC* - only single instance Oracle databases
This is what we are doing to protect our 10g and 11g versions of the listener before we can apply the workaround described in the CVE_2012_1675.
1) Save listener.ora file to listener.ora.OLD1 2) Edit the listener.ora file by putting in DYNAMIC_REGISTRATION_<NAME_OF_LISTENER> = OFF <snip>
Privileged/Confidential Information may be contained in this message or attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of this company shall be understood as neither given nor endorsed by it.Received on Thu May 10 2012 - 15:34:18 CDT