修復oracle10.2.0.4 Listener遠端資料投毒漏洞（非RAC）

Goal

To demonstrate how the COST parameter "SECURE_REGISTER_listener_name =" is used to restrict instance registration with database listeners. With this COST restriction in place only local instances will be allowed to register. These instructions can be used to address the issues published in Oracle Security Alert CVE-2012-1675 by using COST to restrict connections to only local instances.

About COST
The class of secure transports (COST) parameters specify a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols. For more details and for information about other available COST parameters please see the 11.2 Network Administrators Guide and Network Reference.

1.實施

在PSU10.2.0.4.4基礎上，安裝PSU 10.2.0.4.12

$ unzip p12879933_1020412_AIX5L.zip

$ opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir ./12879933

$ cd 12879933

$ opatch apply

衝突性檢查，安裝patch:12880299

$ opatch prereq CheckConflictAgainstOHWithDetail -phBaseDir ./12880299

$ cd 12880299

$ opatch apply

檢查是否安裝成功

$ opatch lsinventory | grep 12880299

Ø 使用TCP協議設定COST限制註冊本地例項

1. 在listener.ora增加"SECURE_REGISTER_listener_name = (TCP)"

LISTENER_PROD =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

)

SECURE_REGISTER_LISTENER_PROD = (TCP)

2. 重啟監聽

$ lsnrctl stop

$ lsnrctl start

Ø 使用IPC協議設定COST限制註冊本地例項

1. 停止監聽

$ lsnrctl stop

2. 在listener.ora增加"SECURE_REGISTER_listener_name = (IPC)"

LISTENER_PROD =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))

(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

)

SECURE_REGISTER_LISTENER_PROD = (IPC)

3. 啟動監聽

$ lsnrctl start

4. 修改local_listener引數

SQL> show parameter local_listener

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

local_listener string (ADDRESS = (PROTOCOL = TCP)(HO

ST = netfl-bde)(PORT = 1551))

SQL> alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;

System altered.

SQL> show parameter local_listener

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

local_listener string (DESCRIPTION=(ADDRESS=(PROTOCO

L=IPC)(KEY=REGISTER)))

2.驗證方法

1. 註釋相關設定，重啟listener

LISTENER_PROD =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

)

# SECURE_REGISTER_LISTENER_PROD = (TCP)

2. 修改系統引數remote_listener

$ sqlplus "/ as sysdba"

SQL*Plus: Release 10.2.0.5.0 - Production on Fri May 4 10:11:27 2012

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter remote_listener;

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_listener string

SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=netfl-bde)(PORT=1551))' scope=memory;

System altered.

3. 檢視listener的service中有“REMOTE SERVER”

LSNRCTL> services listener_prod

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2)))

Services Summary...

Service "N102.us.oracle.com" has 1 instance(s).

Instance "N102", status READY, has 1 handler(s) for this service...

Handler(s):

"DEDICATED" established:0 refused:0 state:ready

REMOTE SERVER

(ADDRESS=(PROTOCOL=TCP)(HOST=mes2)(PORT=1521))

The command completed successfully

4. 刪除listener.ora的註釋，重啟listener

LISTENER_PROD =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

)

SECURE_REGISTER_LISTENER_PROD = (TCP)

5. 強制註冊remote listener

SQL> alter system register;

System altered.

6. 先重啟listener，再檢查listener的service中是否有“REMOTE SERVER”

[oracle@bde]$ lsnrctl

LSNRCTL for Linux: Version 11.2.0.2.0 - Production on 04-MAY-2012 10:42:57
Copyright (c) 1991, 2010, Oracle. All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> services listener_prod
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2)))
The listener supports no services
The command completed successfully

7. 檢視listener日誌，會出現TNS-01194拒絕註冊的資訊

$ tail /u01/app/oracle/product/11.2.0.2/network/log/listener.log

04-MAY-2012 10:43:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=netfl-bde)(USER=oracle))

(COMMAND=services)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647040)) * services * 0

04-MAY-2012 10:43:05 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

04-MAY-2012 10:44:05 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

8. 驗證完成，清除系統引數remote_listener設定

SQL> alter system set remote_listener='' scope=memory;

System altered.

3.回退

若出現異常，請回退。

1. 恢復listener.ora，註釋SECURE_REGISTER_listener_name

LISTENER_PROD =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

)

# SECURE_REGISTER_LISTENER_PROD = (TCP)

2. Rollback patch 12880299

$ $ORACLE_HOME/OPatch/opatch rollback -id 12880299

參考文件：

Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]

來自 “ ITPUB部落格 ” ，連結：http://blog.itpub.net/22621861/viewspace-1435448/，如需轉載，請註明出處，否則將追究法律責任。

修復oracle10.2.0.4 Listener遠端資料投毒漏洞（非RAC）

1.實施

2.驗證方法

3.回退

相關文章