A few days after the last critical patch update Oracle had to post security alert for CVE-2012-1675. The issue also known as “TNS Listener Poison Attack” is affecting any Oracle Database Server. As a personal reference I have summarized the most important information about this topic.<\/p>\n
This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied. The post The history of a -probably- 13 years old Oracle bug: TNS Poison<\/a> from Joxean Koret is explaining how this vulnerability can be exploited.<\/p>\n The attack point of this vulnerability is once again the Oracle listener. The impact of this vulnerability differs from the network configuration of the database server and listener. Public accessible listener will suffer a lot from this issue while internal listener a bit less.<\/p>\n According to Oracle (see web sources below) there is no security fix for this issue. It probably will not be fixed before Oracle 12c. Until now there are several workarounds to eliminate or minimize the potential security risk.<\/p>\n In order to prevent the exploitation of the vulnerability the dynamic registration must be switched of or it must be limited (e.g only local registrations, allow certain IP’s or identified by certificate )<\/p>\n Switch off dynamic registration by setting dynamic_registration_LISTENER_NAME=off<\/em> in listener.ora according to DYNAMIC_REGISTRATION_listener_name<\/a> To switch off the dynamic registration is not an option if you’re using Oracle DataGuard, RAC or the PL\/SQL Gateway in connection with APEX.<\/p>\n Oracle recommend to set class of secure transportation to restrict instance registration to the local system. This parameter is available since Oracle 10.2.0.3 and can be implemented according to MOS Note 1453883.1<\/a><\/p>\n For RAC the use of COST is a bit more complex and require to configure SSL\/TCPS. This is as well only possible for Oracle 10.2.0.3 and newer. It can be implemented according to MOS Note 1340831.1<\/a><\/p>\n Start using valid node checking to limit access to listener to certain IP addresses.<\/p>\n As an alternative limit network access to certain listener on the network layer e.g. network segmentation, firewalls etc.\n<\/ol>\n I recommend to install the latest CPU \/ PSU as well as one of the workaround mentioned above. In it is a good advice to switch of remote registration in general if it is not used e.g for RAC. <\/p>\n What to do when the workaround is not available for the database release e.g 9i databases? From the security point of view I recommend to upgrade the database to the latest supported major release with in a useful time.<\/p>\n Web sources around this topic.<\/p>\n A few days after the last critical patch update Oracle had to post security alert for CVE-2012-1675. The issue also known as “TNS Listener Poison Attack” is affecting any Oracle Database Server. As a personal reference I have summarized the most important information about this topic.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5,11],"tags":[50,138,54,18],"class_list":["post-860","post","type-post","status-publish","format-standard","hentry","category-oracle-database","category-security","tag-advisory","tag-cpu","tag-cve-2012-1675","tag-trivadiscontent"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-dS","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":788,"url":"https:\/\/www.oradba.ch\/wordpress\/2012\/05\/important-links-around-the-oracle-cpu-psu-april-2012\/","url_meta":{"origin":860,"position":0},"title":"Important links around the Oracle CPU \/ PSU April 2012","author":"Stefan","date":"8. May 2012","format":false,"excerpt":"A few weeks ago oracle officially released the CPU \/ PSU Patches for April 2012. The Critical Patch Updates contains 88 security fixes across all products. But only 6 out of this 88 fixes are for Oracle databases. This post will summarize a bit the information and links around this\u2026","rel":"","context":"In "Critical Patch Update"","block_context":{"text":"Critical Patch Update","link":"https:\/\/www.oradba.ch\/wordpress\/category\/patches\/cpu\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":878,"url":"https:\/\/www.oradba.ch\/wordpress\/2012\/10\/oracle-cpu-psu-pre-release-announcement-october-2012\/","url_meta":{"origin":860,"position":1},"title":"Oracle CPU \/ PSU Pre-Release Announcement October 2012","author":"Stefan","date":"12. October 2012","format":false,"excerpt":"Today Oracle has published the Pre-Release Announcement for the october CPU Patch. This Critical Patch Update contains 109 new security vulnerability fixes for several Oracle products. 5 of these fixes are just for the Oracle Database Server.","rel":"","context":"In "10gR2"","block_context":{"text":"10gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/10gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":11271,"url":"https:\/\/www.oradba.ch\/wordpress\/2022\/08\/easily-mitigate-log4j-vulnerability-in-oracle-unified-directory\/","url_meta":{"origin":860,"position":2},"title":"Easily mitigate log4j vulnerability in Oracle Unified Directory","author":"Stefan","date":"26. August 2022","format":false,"excerpt":"In December 2021, the critical vulnerability in Apache Log4j (CVE-2021-44228) was disclosed. With a CVSS rating of 10 out of 10, this vulnerability was or is extremely critical. Especially since Log4j is used relatively widely. Despite a great effort, many applications could only be corrected with a delay. Thus, it\u2026","rel":"","context":"In "Bundle Patch"","block_context":{"text":"Bundle Patch","link":"https:\/\/www.oradba.ch\/wordpress\/category\/patches\/bp\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Screenshot-2022-08-25-at-09.00.17.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Screenshot-2022-08-25-at-09.00.17.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Screenshot-2022-08-25-at-09.00.17.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Screenshot-2022-08-25-at-09.00.17.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Screenshot-2022-08-25-at-09.00.17.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Screenshot-2022-08-25-at-09.00.17.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1671,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/oracle-cpu-psu-pre-release-announcement-april-2014\/","url_meta":{"origin":860,"position":3},"title":"Oracle CPU \/ PSU Pre-Release Announcement April 2014","author":"Stefan","date":"11. April 2014","format":false,"excerpt":"Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as \"Heartbleed\". Therefore I assume, that this patch\u2026","rel":"","context":"In "11gR1"","block_context":{"text":"11gR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1887,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/10\/oracle-software-appliances-and-bash-shellshock\/","url_meta":{"origin":860,"position":4},"title":"Oracle Software Appliances and Bash Shellshock","author":"Stefan","date":"2. October 2014","format":false,"excerpt":"Late September a vulnerability in the bash Shell has been published. The vulnerability also known as shellshock, was classified as extremely critical. Anyway, in the meantime security patch has been released for the different operating systems and bash implementations. A bugfix is also available for Oracle Enterprise Linux, which is\u2026","rel":"","context":"In "AVDF"","block_context":{"text":"AVDF","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/avdf\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1682,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/update-oracle-and-openssl-heartbleed-vulnerability\/","url_meta":{"origin":860,"position":5},"title":"Update: Oracle and OpenSSL ‘Heartbleed’ vulnerability","author":"Stefan","date":"16. April 2014","format":false,"excerpt":"While writing a post about the new Critical Patch Advisory I've discovered, that Oracle made the Information about the OpenSSL Vulnerability publicly available. The information in MOS Note 1645479.1 has been moved to OpenSSL Security Bug - Heartbleed CVE-2014-0160. Until now it looks like that Oracle Databases are not affected\u2026","rel":"","context":"In "11gR2"","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=860"}],"version-history":[{"count":3,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/860\/revisions"}],"predecessor-version":[{"id":1510,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/860\/revisions\/1510"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Impact<\/h3>\n
\n
Bug fix<\/h3>\n
Workaround<\/h3>\n
\n
\r\nTCP.VALIDNODE_CHECKING = YES\r\nTCP.INVITED_NODE = (Comma separated list of ALL valid, clients)\r\n<\/pre>\n
Strategy<\/h3>\n
Web Sources<\/h3>\n
\n