DBAsupport.com Forums - Powered by vBulletin
Results 1 to 2 of 2

Thread: Oracle Security Problem - Please Read

  1. #1
    Join Date
    Nov 1999
    Location
    Elbert, Colorado, USA
    Posts
    81
    Oracle Corporation has just released the following security alert:

    Vulnerability in the Oracle Listener Program
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Versions Affected
    ~~~~~~~~~~~~~~~~~
    Oracle listener program releases 7.3.4, 8.0.6 and 8.1.6

    Platforms Affected
    ~~~~~~~~~~~~~~~~~~
    All platforms except Open VMS.

    Description
    ~~~~~~~~~~~
    A security vulnerability in the listener program of the Oracle Enterprise Server has been
    discovered. Using this vulnerability, a knowledgeable and malicious attacker can potentially
    gain a higher level of access to the Oracle owner account and Oracle databases and introduce
    malicious code into various operating systems.

    The commands SET LOG_FILE and SET TRC_FILE allow the log and trace files, respectively, to
    which the listener program writes, to be modified dynamically while the listener program is
    running. The listener program can be configured to append and/or overwrite logging and tracing
    information to any operating system file that can be written by the Oracle owner, such as an
    alert file or a database file, and thereby corrupt an Oracle database and potentially
    introduce malicious code into the operating system.


    Workaround
    ~~~~~~~~~~
    You must apply the patch as soon as it is available for your platform. However, an
    interim workaround until the patch is available for your platform is to password
    protect the listener. Once the listener has been password
    protected the SET LOG_FILE and SET TRACE_FILE commands in lsnrctl will not
    work without a password.

    For instructions on how to password protect the listener see the following:

    <Note:92602.1> How to password protect your listener

    In addition to setting the listener password you should also set up your
    permissions to limit who can has access to the listener.ora file and the
    lsnrctl executable.

    Patches
    ~~~~~~~
    The generic bug filed against the Oracle listener program is 1361722.
    The patch for this exploit allows a database administrator to restrict run-time administration
    of the Oracle listener program. A new parameter, ADMIN_RESTRICTIONS_LISTENER, has been
    introduced into listener.ora, the control file for the Oracle listener program. Setting
    ADMIN_RESTRICTIONS_LISTENER=ON prevents the vulnerability from being exploited by disabling
    the run-time modification of parameters in listener.ora. That is, the listener program will
    refuse to accept SET commands that alter its parameters and attempting to issue a SET command
    will result in the generation of an error message. Thus, to change any one of the parameters
    in listener.ora, including ADMIN_RESTRICTIONS_LISTENER itself, this file needs to be edited
    manually and its parameters need to be reloaded manually (e.g., LSNRCTL RELOAD) for the new
    changes to take effect without explicitly stopping and restarting the listener program.
    Operating system access to the protected Oracle account owner directories and files is
    required to edit listener.ora. Note that the Oracle account owner directories and files must
    be protected in the operating system by setting the access control permissions on them as
    recommended by Oracle Corporation in its user manuals.
    ADMIN_RESTRICTIONS_LISTENER=OFF is the default value when the listener program is installed in
    order to maintain current customer environments and backward compatibility. There is no change
    in the run-time behavior of the listener program or in syntax of the SET commands in this mode
    of operation.
    Oracle Corporation recommends establishing the listener program password in this mode of
    operation.


    Patches are available in MetaLink. Login to MetaLink at [url]http://metalink.oracle.com.[/url] Choose
    the Patches button and select SQL*Net from the drop-down product list.
    The patches are also avialable for download fromthe Oracle FTP server.

    FTP Server Patch Locations
    --------------------------

    Compaq Tru64 UNIX
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81620/bug1399204[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81600/bug1399208[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81500/bug1399209[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/80600/bug1399212[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/73400/bug1399214[/url]


    Fujitsu UXP/DS
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/FUJITSU_UXPDS/806/bug1414374[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/FUJITSU_UXPDS/7345/bug1414392[/url]


    Hitachi 3050/R Risc UNIX
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/8.0.5/bug1414786[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/7.3.4/bug1414768[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/8.0.6/bug1414795[/url]


    HP 9000 Series HP-UX
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81620/11.0.32/bug1398177[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/8150/32bit/bug1398199[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/11.00/80610/bug1398216[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/11.00/32bit/7345/bug1398229[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81600/32bit/bug1398259[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/7345/10.20/7345/bug1398278[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81600/64bit/bug1398288[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/8150/64bit/bug1398292[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/806/11.00/64bit/bug1398299[/url]


    IBM RS 6000 AIX
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81620/bug1399170[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81600/bug1399179[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81500/bug1399185[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/80600/bug1399190[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/734/bug1399191[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/81600/bug1399194[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/81500/bug1399196[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/80600/bug1399201[/url]


    Intel Based Server LINUX
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/8161/bug1399217[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/815/bug1399218[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/806/bug1399222[/url]


    Sun SPARC Solaris
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/8062/bug1389364[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/815/bug1389366[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81600/bug1389370[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81610/bug1389378[/url]
    [url]ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81620/bug1389380[/url]


    References
    ~~~~~~~~~~
    <BUG:1361722>

  2. #2
    Join Date
    Nov 2000
    Posts
    62
    Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width