Re: Oracle Security Alert for CVE-2012-1675 - 10g extended support

From: dnrg <dananrg_at_yahoo.com>
Date: Fri, 11 May 2012 12:03:38 -0700 (PDT)
Message-ID: <1336763018.45067.YahooMailNeo_at_web113504.mail.gq1.yahoo.com>



Here are some findings I have so far for this vulnerability. Maybe it will help others. All systems mentioned are non-RAC:
  • Opened an SR to ask about patch 12880299 availability for 10.2.0.X on Linux Itanium. Was told none would be released and to use the IPC fix. Tested and it worked fine.
  • Patch 12880299 worked great on 11.2.0.3.2 x86-64 platforms.
  • Patch 12880299 didn't work at all on 11.2.0.2.6 x86-64 platforms. The patch installs but the protective behavior does not manifest. This wasn't expected, so I used the IPC fix. That worked as expected.

IPC FIX


For the general IPC fix, when you add the following items to your listener.ora, bounce your listener, then do a LSNRCTL> status and LSNRCTL> services, no service handlers will be registered. Not even local ones (except perhaps for an EXTPROC handler). Definitely no Oracle instances. This should prove to you that the SECURE_REGISTER_LISTENER = (IPC) directive is being honored. Take a screenshot perhaps of your listener status / services before bouncing the listener. So you'll know everything you expect to see has returned after the fix.

  1. Add this as another "ADDRESS" list item, where "MyKeyHere" can evidently be whatever you'd like:

(ADDRESS = (PROTOCOL = IPC) (KEY = MyKeyHere))

Then add:   SECURE_REGISTER_LISTENER = (IPC) beneath your listener definition. Where _LISTENER is the actual name of your listener.

LISTENER   (DESCRIPTION_LIST     (ADDRESS = (PROTOCOL = IPC) (KEY = MyKeyHere))

    (DESCRIPTION       (ADDRESS = (PROTOCOL = TCP)(HOST = <YourListenerHostNameHere>)(PORT = <whichever port # you use>))
    )
  )

SECURE_REGISTER_LISTENER = (IPC) 2) After you've bounced your listener and see no instances registered, logon to each Oracle instance running on the same host and do the following. Be sure to use the same key value you specified in your listener.ora.

show parameter local_listener
alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC) (KEY=MyKeyHere)))' scope = both; show parameter local_listener

3) Go back to your listener and run a LSNRCTL> services. You should see all the local instances you expect. All will have a designator of LOCAL SERVER. If you see any handlers with REMOTE SERVER something's wrong.

If in the future you add new instances to the host, you'll need to set LOCAL_LISTENER as above for each one.

  • If you go the patch 12880299 route for non-RAC, you test if the patch is successful, at the very end of all the steps, by logging into an Oracle instance on a different host than the protected listener and doing the following:

show parameter REMOTE_LISTENER
... or grab the pre-test value as follows: select value from v$spparameter where name = 'remote_listener';

alter system set REMOTE_LISTENER='(ADDRESS=(PROTOCOL=TCP)(HOST=<protected listener host name>)(PORT=<####>))' scope=memory; show parameter REMOTE_LISTENER

And maybe an:   "alter system register" to force a registration attempt.

Then go to the host with your protected listener and inspect the listener.ora file. On *nix you could have already opened it with a "tail -f listener.log". You should see an error something like the following:

<Date/Time here> * service_register_NSGR
* 1194

TNS-01194: The listener command
did not arrive in a secure transport

Also do a LSRNCTL> services    to ensure you only see service handled designated as LOCAL SERVER and not REMOTE SERVER.

After the test, be sure to "alter system set REMOTE_LISTENER" back to its original value for your remote instance.

Hope this helps.

Dana

--
http://www.freelists.org/webpage/oracle-l
Received on Fri May 11 2012 - 14:03:38 CDT

Original text of this message