Oracle Database Server 'TNS Listener'远程数据投毒漏洞(

环境:Windows 2008 R2 + Oracle 10.2.0.3
应用最新bundle patch后,扫描依然报出漏洞 Oracle Database Server 'TNS Listener'远程数据投毒漏洞(CVE-2012-1675)

1.确定解决方案

2.应用解决方案

3.验证修补情况

4.Reference

1.确定解决方案

安全厂家给出的解决办法:
链接:

根据此链接得到解决方法:

Solution

Recommendations for protecting against this vulnerability can be found at:

My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC).
My Oracle Support Note 1453883.1 for Oracle Database deployments that do not use RAC.

目前这里环境不是RAC,参考文档1453883.1:
Using Class of Secure Transport (COST) to Restrict Instance Registration (文档 ID 1453883.1)
找到两种解决方案:

SOLUTION

There are two methods that can be used to protect the listener using COST "SECURE_REGISTER_listener_name =" in stand alone database installations.

1) Restricting registration to the TCP protocol (Requires the fix for BUG:12880299)

- or -

2) Restricting registration to the IPC protocol (The patch for BUG:12880299 is NOT required for the IPC method)

Either method accomplishes the same goal but it is your choice which type to implement subject to the restriction* noted below. Both methods will be discussed.

The second method (using IPC) cannot be used if the database is a member of an Oracle Data Guard broker configuration.

我这里选择第一种解决方案:
1) Restricting registration to the TCP protocol (Requires the fix for BUG:12880299)。

2.应用解决方案 2.1 确定现状

监听配置文件:listener.ora
存放路径:cd %ORACLE_HOME%/network/admin
内容(保证安全,所有IP相关信息已二次处理):

# listener.ora Network Configuration File: E:\oracle\product\10.2.0\db_1\NETWORK\ADMIN\listener.ora # Generated by Oracle configuration tools. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.138)(PORT = 1521)) ) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = E:\oracle\product\10.2.0\db_1) (PROGRAM = extproc) (ENVS = "EXTPROC_DLLS=ANY") ) (SID_DESC = (GLOBAL = orcl) (ORACLE_HOME = E:\oracle\product\10.2.0\db_1) (SID_NAME = orcl) ) ) ADR_BASE_LISTENER = E:\oracle

数据库监听信息,原始都是空值:

SQL> show parameter local_listener NAME TYPE VALUE ------------------------------------ ----------- --------------------------- local_listener string SQL> show parameter remote_listener; NAME TYPE VALUE ------------------------------------ ----------- --------------------------- remote_listener string SQL> 2.2 尝试应用解决方案

2.2.1 停止监听
lsnrctl stop listener
2.2.2 修改监听配置文件

Add the COST TCP protocol restriction "SECURE_REGISTER_[listener_name] = (TCP)" to the listener.ora.
Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)

实际修改过程:
切换到监听配置文件所在路径:

cd %ORACLE_HOME%/network/admin

直接修改listener.ora文件,在文件的末尾添加一行:

SECURE_REGISTER_LISTENER = (TCP)

2.2.3 启动监听
启动监听:
lsnrctl start listener
立即注册动态监听:
SQL> alter system register;
2.2.4 设置local_listener

alter system set local_listener='(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.138)(PORT = 1521)))' scope = both; show parameter local_listener

2.2.5 查看监听服务信息
lsnrctl services listener

E:\oracle\product\10.2.0\db_1\network\ADMIN>lsnrctl services listener LSNRCTL for 32-bit Windows: Version 10.2.0.3.0 - Production on 21-9-2016 10:2 2:02 Copyright (c) 1991, 2006, Oracle. All rights reserved. 正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521))) 服务摘要.. 服务 "PLSExtProc" 包含 1 个例程。 例程 "PLSExtProc", 状态 UNKNOWN, 包含此服务的 1 个处理程序... 处理程序: "DEDICATED" 已建立:0 已被拒绝:0 LOCAL SERVER 服务 "orcl" 包含 1 个例程。 例程 "orcl", 状态 UNKNOWN, 包含此服务的 1 个处理程序... 处理程序: "DEDICATED" 已建立:3 已被拒绝:0 LOCAL SERVER 命令执行成功 3.验证修补情况 3.1 注释COST规则验证监听情况

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/24da1efb96a9125cb7dfac8a72934e1e.html