| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Vulnerability in PL/SQL EXTPROC in Oracle9i Database Alert #29
Hi,
The following is the workaround for the security alert 29 in the oracle web site.. can someone please help me understand this? I need some more detailed instruction.. Thank you in advance.
################
If the PL/SQL EXTPROC functionality is required in your Oracle installation,there are 5 steps that must be taken in order to protect against the potential security vulnerability identified above.
i. Create 2 Oracle Net Listeners, one for the Oracle database and one
for PL/SQL EXTPROC.
Do not specify any EXTPROC specific entries in the configuration files
of the Oracle Listener for the database.
Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address only.
If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using.
Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged OS user (e.g., "nobody" on Unix).
ii. If you have configured the Oracle Listener for PL/SQL EXTPROC with a
TCP protocol address, modify the EXTPROC specific entry in
$ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for
the new Oracle Listener.
iii. If you have configured the Listener for PL/SQL EXTPROC with an TCP protocol address, ensure that the connections to this Oracle Listener can only originate from the hosts that need access to EXTPROC by doing the following.
Use an Oracle Net feature called "valid node checking" to allow or deny access to Oracle server processes from network clients with specified IP addresses.
Set the following parameters in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA ($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases) to enable the valid node checking feature:
tcp.validnode_checking = YES
tcp.invited_nodes = {list of IP addresses}
tcp.excluded_nodes = {list of IP addresses}
The first parameter turns on the valid node checking feature. The latter two parameters respectively specify the IP addresses that are permitted to make network connections or denied from making network connections to the Oracle server processes.
Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A separate $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this Oracle Listener.
You can store this file in any directory other than the one in which the database LISTENER.ORA and SQLNET.ORA files are located.
Copy the LISTENER.ORA with the configuration of the Oracle Listener for PL/SQL EXTPROC into this other directory as well.
Before starting the Oracle Listener for PL/SQL EXTPROC, set the TNS_ADMIN environment variable (or Windows Registry parameter) to specify the directory in which the new configuration files for PL/SQL EXTPROC are stored.
iv. Ensure that the file permissions on separate
$ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644.
v. Change the password for any privileged database account or an ordinary user given administrative privileges in the database that has the ability to add packages or libraries and access system privileges in the database (such as CREATE ANY LIBRARY) to a strong, meaningful password, different from the default that is provided during the initial installation of Oracle. Received on Sun Jul 14 2002 - 22:04:38 CDT
 |
 |