Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?

From: Martin Berger <martin.a.berger_at_gmail.com>
Date: Mon, 7 May 2012 18:36:50 +0200
Message-ID: <CALH8A93KH-sQZ9PqUDM1Wc-jatnN5ihVHS2KMRevKbD+SBH4xg_at_mail.gmail.com>

Hi Dana,

I asked the question already, and summarised ma answers here: http://berxblog.blogspot.com/2012/05/how-to-secure-cman-against-cve-2012.html

The original note is
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1455068.1

Q1) from my SR: "CMAN uses a listener that does not support TCPS and cannot take advantage of the COST protections outlined in Doc ID 1453883.1 and Doc ID 1340831.1."

Q2) if you have source_routing, it's ok. otherwise it will kill your CMAN-setup.

IPC can only be used with listeners at the same node as PMON - don't know if this is the case in your CMAN setup.

I'd say a proper

(rule=(src=*)(dst=10.220.8.114)(srv=*)(act=accept)) with DST pointing to your local listeners i a quite 'cheap' and easy solution.

hth
Martin

On Mon, May 7, 2012 at 5:00 PM, dnrg <dananrg_at_yahoo.com> wrote:
> We don't use RAC but we do use CMAN for most connections (with Oracle instances ranging from 10.2.0.3 to 11.2.0.3.�CMAN's not�a product I understand very well.
>
> Q1) Will the fixes mentioned in MOS ID 1453883.1 (both TCP and IPC), as well as the DYNAMIC_REGISTRATION_LISTENER=OFF fix,�work when CMAN is involved? Please excuse my ignorance here but should that make a difference?
>
> Q2) Sounds like DYNAMIC_REGISTRATION_LISTENER=OFF is the quickest way to fix this issue. Another poster asked if Oracle would support this. Does anyone
>
> Q3) Oracle's IPC fix shows the example name REGISTER. If we don't already have an IPC entry in various listener.ora files, does it matter what name we choose for this?
>
> Q4) Of the two official fixes, the�02-May-2012 version of�MOS ID 1453883.1 states that "Either method�works equally well but the TCP method is easier to implement."�The 05-May-2012 version now states "Either method accomplishes the same goal but it is your choice which of them to implement." Are there any "gotchas" or things to be mindful of�regarding the IPC method?�With a large volume of�listeners to remediate I'd�prefer not to patch as a first approach. The IPC method doesn't look so bad and doesn't require patching. Am I missing�anything important here in my decision about which method to use?
>
> Thanks very much.
>
> Dana
> --
> http://www.freelists.org/webpage/oracle-l
>

--
http://www.freelists.org/webpage/oracle-l

Received on Mon May 07 2012 - 11:36:50 CDT

This message: [ Message body ]
Next message: Maureen English: "(update): speeding up expdp"
Previous message: dnrg: "Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?"
In reply to: dnrg: "Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?"
Next in thread: dnrg: "Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?"
Reply: dnrg: "Re: Will Oracle Security Alert for CVE-2012-1675 non-RAC fixes work with CMAN, etc?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message