TNS Listener Poisoning issue for standalone Oracle database

TNS Listener Poisoning issue for standalone Oracle database

TNS Listener poisoning problem described in Oracle Security Alert: CVE-2012-1675.

Solution of the problem

Note: For version 11.2.0.1, has no resolution of this. So, you have to upgrade your database to atleast 11204 version.

VNCR understanding
Oracle provide the Valid Node Checking for Registration (VNCR method).
Its allows instance registrations to only come from known servers.
It make the listener secure by allowing registration to succeed only if it orginates from a valid node.
User can specify the list of node which can register with listener.
User can specify excluded list of node also.
Invented node take precedence when both invented/excluded used.

Enable the VNCR
Note: By default it’s OFF

-- Open the listener.ora file and add the following parameter.
VALID_NODE_CHECKING_REGISTRATION_listener_name = ON

If you want more restriction then you use following both parameters in listener.ora file.
Note: you can specify the IP address and host name

-- For invited nodes
REGISTRATION_INVITED_NODES_Listener=(, 127.xx.yy.zz, 127.zz.y.*)

-- Reverse of Invited Nodes , not invited nodes.
REGISTRATION_EXCLUDED_NODES_listener_name=(, 127.xx.yy.zz, 127.zz.y.*)

Disable the VNCR

VALID_NODE_CHECKING_REGISTRATION_listener_name = OFF

Other values of VNCR parameter

VALID_NODE_CHECKING_REGISTRATION_listener_name
Values:
OFF/0 - Disable VNCR
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.
SUBNET/2 - All machines in the subnet are allowed registration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.