Friday, July 18, 2014

EBS 12.2 / Rdbms -- Listener Poisoning -- Oracle Security Alert CVE-2012-1675

This post will be about a vulnerability, that was discovered in 2008 and was fixed in 2012.
The vulnerability is present in EBS 12.2 , which comes with an 11.2.0.3 Oracle Database.
The problem is addressed in  Oracle Security Alert CVE-2012-1675, and following document explains the fix for that:
Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)
The reason which makes me write this post,is, that I find the document not clear , especially actions mentioned for testing the fix is not clear.

Here is what you need to ;

If you dont use IPC(EBS 12.2 listener does not use it by default)

Apply the patch 12880299 to the affected Oracle Homes.
Set SECURE_REGISTER_listener_name parameter to (TCP) .. (if your listener name is test then set SECURE_REGISTER_TEST=(TCP) in your listener.ora) .. It is better to set it in listener ifile to prevent autoconfig from overwriting it.
Restart your listener and Test..

To test: login to another Oracle Database which resides on a different server. Set remote listener parameter on that listener , and make it try to register to the database listener which you have fixed above.. You will see an error message in the target listener 's log file (TNS-01194: The listener command did not arrive in a secure transport) This means your fix is in place...

Note that: With this configuration, your listener will not accept any registration request except from Local and TCP.

Tested and verified .. I have implemented these steps, and we could pass the Security Tests in a Customer Environment..

No comments :

Post a Comment