TNS Listener Poisoning issue for standalone Oracle database
TNS Listener poisoning problem described in Oracle Security Alert: CVE-2012-1675.
Solution of the problem
Note: For version 11.2.0.1, has no resolution of this. So, you have to upgrade your database to atleast 11204 version.
VNCR understanding
Oracle provide the Valid Node Checking for Registration (VNCR method).
Its allows instance registrations to only come from known servers.
It make the listener secure by allowing registration to succeed only if it orginates from a valid node.
User can specify the list of node which can register with listener.
User can specify excluded list of node also.
Invented node take precedence when both invented/excluded used.
Enable the VNCR
Note: By default it’s OFF
-- Open the listener.ora file and add the following parameter.
VALID_NODE_CHECKING_REGISTRATION_listener_name = ON
If you want more restriction then you use following both parameters in listener.ora file.
Note: you can specify the IP address and host name
-- For invited nodes
REGISTRATION_INVITED_NODES_Listener=(, 127.xx.yy.zz, 127.zz.y.*)
-- Reverse of Invited Nodes , not invited nodes.
REGISTRATION_EXCLUDED_NODES_listener_name=(, 127.xx.yy.zz, 127.zz.y.*)
Disable the VNCR
VALID_NODE_CHECKING_REGISTRATION_listener_name = OFF
Other values of VNCR parameter
VALID_NODE_CHECKING_REGISTRATION_listener_name
Values:
OFF/0 - Disable VNCR
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.
SUBNET/2 - All machines in the subnet are allowed registration.