Re: Oracle Security Alert for CVE-2012-1675 - 10g extended support
Date: Fri, 11 May 2012 11:30:48 -0400
Message-ID: <CAEgY-F5xSSp75PHO5E3nZ2PRZbrbzQhPVe5-yb5DcX+MvJLu5A_at_mail.gmail.com>
I had the same response from Oracle to my SR on a related subject. Though I may switch to IPC, I no longer do dynamic registrations, at least for now. Cheers, Wayne
- "Never argue with an idiot. They drag you down to their level and then beat you with experience." - Unknown
On Thu, May 10, 2012 at 4:34 PM, Jiang, Lu <Lu.Jiang_at_umassmed.edu> wrote:
> Turnning dynamic_registration off workaround is supported if we don't
> care about dynamically registering instances :)
> The following is what I got from Oracle support, this is regarding our
> 10.2.0.3 EBS database.
> We don't recommend setting dynamic registration OFF. Allowing PMON to
> dynamically register an instance is considered Best Practice even in
> non-RAC installations.
>
> The IPC workaround is the recommended solution for non-RAC installations.
>
> Having said that, you can certainly turn off dynamic registration and it
> will protect your listener from this vulnerability.
> The setting is supported by Oracle.
>
>
>
> From: Carol Dacko [mailto:dackoc_at_gmail.com]
> Sent: Thursday, May 03, 2012 5:37 PM
> To: Allen, Brandon
> Cc: oracle Freelists; Lu.Jiang_at_umassmed.edu; bdbafh_at_gmail.com
> Subject: Re: Oracle Security Alert for CVE-2012-1675 - 10g extended support
>
> Our 10g databases use 10g listeners, our 11g databases, 11g listeners.
>
> I have not tested yet to see if it protects the 10g listeners with that
> work around. That will be a task for tomorrow.
>
> HTH!
> Carol
> On Thu, May 3, 2012 at 2:50 PM, Allen, Brandon <Brandon.Allen_at_oneneck.com
> <mailto:Brandon.Allen_at_oneneck.com>> wrote:
> Thanks Carol, but the dynamic_registration_listener_name parameter appears
> to be undocumented in 10g (as far as I could tell) and therefore may not be
> fully supported. I found it here in the 11.2 doc:
>
>
> http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm#BGBCEJHE
>
> But, couldn't find it anywhere in the 10.2 doc. I also found MOS doc
> 130574.1, which suggests using the dynamic_registration_listener_name
> parameter only in 11g and up and says that dynamic registration "can't be
> disabled in versions 10g and lower from the listener side". I haven't
> tested it myself yet, but from your info below, it sounds like the
> parameter does work in 10g, or are your 10g databases only using 11g
> listeners?
>
> Thanks,
> Brandon
>
>
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>
> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>]
> On Behalf Of Carol Dacko
>
>
> All,
> *THE FOLLOWING IS NOT APPLICABLE FOR RAC* - only single instance Oracle
> databases
>
> This is what we are doing to protect our 10g and 11g versions of the
> listener before we can apply the workaround described in the CVE_2012_1675.
>
> Directions
> 1) Save listener.ora file to listener.ora.OLD1
> 2) Edit the listener.ora file by putting in
> DYNAMIC_REGISTRATION_<NAME_OF_LISTENER> = OFF
> <snip>
>
>
> ________________________________
>
> Privileged/Confidential Information may be contained in this message or
> attachments hereto. Please advise immediately if you or your employer do
> not consent to Internet email for messages of this kind. Opinions,
> conclusions and other information in this message that do not relate to the
> official business of this company shall be understood as neither given nor
> endorsed by it.
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Fri May 11 2012 - 10:30:48 CDT