RE: Question on Oracle Security Alert for CVE-2012-1675

From: <rajendra.pande_at_ubs.com>
Date: Wed, 2 May 2012 12:19:37 -0400
Message-ID: <7E4D006EA3F0D445B62672082A16A5655786EE_at_NSTMC703PEX.ubsamericas.net>

ORACLE has given a temporary reprieve from licencing See -
https://blogs.oracle.com/security/entry/security_alert_for_cve_2012

However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers a restricted use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Radoulov, Dimitre Sent: Wednesday, May 02, 2012 11:42 AM
To: martin.a.berger_at_gmail.com
Cc: ksmadduri_at_gmail.com; oracle Freelists Subject: Re: Question on Oracle Security Alert for CVE-2012-1675

Hi,
if I am reading Note 1340831.1 correctly, in order to secure the communication
between pmon and the scan listeners, we'll need to use SSL.

There is a note about _licensing changes_:

Please refer to the Oracle licensing documentation available on Oracle.com regarding licensing changes that allow Oracle Advanced Security SSL/TLS to be used with Oracle SE Oracle Real Application Clusters and Oracle Enterprise Edition Real Application Customers (Oracle RAC) and Oracle RAC OneNode Options.

I am trying to understand if we need to buy the Advanced Security option in order to fix the issue (I hope we don't ...).

Can anybody throw some light on this?

Thanks
Dimitre

On Wed, May 2, 2012 at 3:48 PM, Martin Berger <martin.a.berger_at_gmail.com> wrote:
> Hi Kumar,
>
> even untested,
> yes, that is enough.
>
> for local listener
> SECURE_REGISTER_LISTENER = (TCP)
> is the same in both documents (it's just more widely explained in
1453883.1).
>
> as this is a real new topic and many are interested in it's details,
> please share all your findings?
>
> Martin
>
> On Wed, May 2, 2012 at 9:24 AM, Kumar Madduri <ksmadduri_at_gmail.com>
wrote:
>> Hi
>> Two notes are given for applying the fix for this alert (one for rac
and
>> another for non-rac).
>> We dont use scan listeners on a 2 node rac. So after reading the note
>> 1340831.1, I think the steps listed for scan listeners are not
required
>> (creating wallet and other steps that follow).
>> In this case note 1453883.1 (for non-rac) is applicable for rac as
well.
>> I am going to re-read the notes again and raise SR if required but
thought
>> about checking with the list as well.
>>
>>
>> Thank you
>> Kumar
>>
>>
>> --
>> http://www.freelists.org/webpage/oracle-l
> --
> http://www.freelists.org/webpage/oracle-l
>
>

--
http://www.freelists.org/webpage/oracle-l


Please visit our website at 
http://financialservicesinc.ubs.com/wealth/E-maildisclaimer.html 
for important disclosures and information about our e-mail 
policies. For your protection, please do not transmit orders 
or instructions by e-mail or include account numbers, Social 
Security numbers, credit card numbers, passwords, or other 
personal information.
--
http://www.freelists.org/webpage/oracle-l

Received on Wed May 02 2012 - 11:19:37 CDT

This message: [ Message body ]
Next message: Paul Harrison: "Replication - Trigger"
Previous message: goran bogdanovic: "Re: log buffer size and log file syncs"
In reply to: Radoulov, Dimitre: "Re: Question on Oracle Security Alert for CVE-2012-1675"
Next in thread: Ilmar Kerm: "Re: Question on Oracle Security Alert for CVE-2012-1675"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message