In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >
Share
Shulou(Shulou.com)06/01 Report--
Environment: Windows 2008 R2 + Oracle 10.2.0.3
After applying the latest bundle patch, the scan still reported a vulnerability Oracle Database Server 'TNS Listener' remote data poisoning vulnerability (CVE-2012-1675)
1. Identify solution 2. Application solution 3. Verify the patching condition of 4.Reference1. Identify the solution
The solution given by the safety manufacturer:
Link: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
Follow this link for a solution:
Solution
Recommendations for protecting against this vulnerability can be found at:
My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC).
My Oracle Support Note 1453883.1 for Oracle Database deployments that do not use RAC.
Currently, the environment here is not RAC. Refer to document 1453883.1:
Using Class of Secure Transport (COST) to Restrict Instance Registration (document ID 1453883.1)
Find two solutions:
SOLUTION
There are two methods that can be used to protect the listener using COST "SECURE_REGISTER_listener_name =" in stand alone database installations.
1) Restricting registration to the TCP protocol (Requires the fix for BUG:12880299)
-2. Apply solution 2.1 to determine the status quo
Monitoring profile: listener.ora
Storage path: cd% ORACLE_HOME%/network/admin
Content (secure, all IP related information has been reprocessed): # listener.ora Network Configuration 2.2 try to apply the solution
2.2.1 stop snooping
Lsnrctl stop listener
2.2.2 modify the monitoring profile
Add the COST TCP protocol restriction "SECURE_REGISTER_ [listener _ name] = (TCP)" to the listener.ora.
Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)
Actual modification process:
Switch to the path where the listening configuration file is located: 3. Verify patches 3.1 comment COST rules verify listening
3.1.1 comment out the COST rules for listener.ora files and restart snooping
Comment the COST rule in listener.ora and restart the listener.
Modify the listener.ora file directly, adding a "#" comment to the line you added before. # SECURE_REGISTER_LISTENER = (3.2Uncomment COST rule verification listening
3.2.1 uncomment COST rules restart monitoring and quickly register to verify monitoring service information
Remove the "#" sign before the end of the listening file:
SECURE_REGISTER_LISTENER = (TCP)
Restart snooping: lsnrctl stop listenerlsnrctl start listener
Quick registration of dynamic monitoring: SQL > alter system register
Verify the listening service information. According to the official description, there should be no "REMOTE SERVER" in normal: e:\ oracle\ product\ 10.2.0\ db_1\ network\ ADMIN > lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0-Production on 21-September-2016 0:23 Copyright (c) 1991, 2006, Oracle. All rights reserved. Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY=EXTPROC1521) service summary.. The service "PLSExtProc" contains 1 routine. Routine "PLSExtProc", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER service "orcl" contains 2 routines. Routine "orcl", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" created: 1 rejected: 0 LOCAL SERVER routine "orcl", status READY, containing 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 status: blocked REMOTE SERVER (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY=EXTPROC1521) service "orclXDB" contains 1 routine. Routine "orcl", status READY, contains 1 handler for this service. Handler: "D000" established: 0 rejected: 0 current: 0 Max: 1002 status: ready DISPATCHER (ADDRESS= (PROTOCOL=tcp) (HOST=INSPUR-IRMS-138) (PORT=52676)) Service "orcl_XPT" contains 1 routine. Routine "orcl", status READY, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 status: blocked REMOTE SERVER (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY=EXTPROC1521) command executed successfully
Actually found the word "REMOTE SERVER", but the corresponding monitoring is blocked.
3.2.2 View Monitoring Log
Cd ORACLE_HOME%/network/log
The listener.log log file already has TNS-01194 information Consistent with official documents: 21-September-2016 11:00:23 * (CONNECT_DATA= (CID= (PROGRAM=) (HOST=) (USER=Administrator)) (COMMAND=services) (ARGUMENTS=64) (SERVICE=listener) (VERSION=169870080)) * services * 021-September-2016 11:00:54 * service_register_NSGR * 1194TNS-01194: listener commands did not reach secure transmission 21-September-2016 11:01:54 * service_register_NSGR * 1194TNS-01194: monitor Program commands did not reach secure transfer 21-September-2016 11:02:54 * service_register_NSGR * 1194TNS-01194: listener commands did not reach secure transfer
3.2.3 restore remote_listener settings
Test complete, restore remote_listener settings
Alter system set remote_listener='' scope=memory; SQL > alter system set remote_listener='' scope=memory
3.2.4 View the monitoring service information E:\ oracle\ product\ 10.2.0\ db_1\ network\ ADMIN > lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0-Production on 21-September-2016 11:2 product (c) 1991, 2006, Oracle. All rights reserved. Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY=EXTPROC1521) service summary.. The service "PLSExtProc" contains 1 routine. Routine "PLSExtProc", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 0 rejected: 0 LOCAL SERVER service "orcl" contains 1 routine. Routine "orcl", status UNKNOWN, contains 1 handler for this service. Handler: "DEDICATED" established: 1 rejected: 0 LOCAL SERVER command executed successfully
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.