概述及分析
客户的一套x86系统上运行的11.2.3版本数据库,扫描出Oracle远程监听投毒漏洞,根据Oracle Security Alert for CVE-2012-1675安全警示里提到的受影响的版本为11g,10g。
12c以上版本该漏洞已修复,不要需要人工干预处理。
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3, 11.2.0.4 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
分析:
参考CVE-2012-1675安全警示里提到My Oracle Support Note 1340831.1文档,需要对scan_listener和listener做相关配置。
步骤一:配置scan_listener
1. Create an Oracle wallet.
su - grid
cd /oracle/app/11.2.0/grid/network/
chmod 775 admin
#使用oracle用户创建wallet,需要调整$GI_HOME/network/admin目录权限
su - oracle
cd /oracle/app/11.2.0/grid/network/admin/
mkdir cost
orapki wallet create -wallet oracle/app/11.2.0/grid/network/admin/cost
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
orapki wallet remove -trusted_cert_all -wallet oracle/app/11.2.0/grid/network/admin/cost
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
orapki wallet add -wallet /oracle/app/11.2.0/grid/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
orapki wallet display -wallet /oracle/app/11.2.0/grid/network/admin/cost -summary
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
orapki wallet create -wallet /oracle/app/11.2.0/grid/network/admin/cost -auto_login
Oracle PKI Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
chmod 640 cwallet.sso
ls -al
-rw-r----- 1 oracle oinstall 2493 Jul 11 15:18 cwallet.sso
-rw------- 1 oracle oinstall 2416 Jul 11 15:18 ewallet.p12
cp listener.ora listener.ora.bak
vi listener.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /oracle/app/11.2.0/grid/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523
srvctl stop scan_listener
srvctl start scan_listener
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
cat /u01/app/oracle/product/11.2.0/dbhome_2/network/admin/sqlnet.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /oracle/app/11.2.0/grid/network/admin/cost)
)
)
SQL> show parameter remote_listener
NAME TYPE VALUE
--------------- ----------- ------------------------------
remote_listener string 192.168.XX.11:1521
srvctl config scan
SCAN name: integb-cluser-scan, Network: 1/192.168.0.0/255.255.255.0/bond0
SCAN VIP name: scan1, IP: /testdb-cluser-scan/192.168.XX.11
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.XX.11
)(PORT=1523)))' scope=both sid='*';
SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
srvctl stop scan_listener
srvctl start scan_listener
步骤二:配置listener参数
SECURE_REGISTER_LISTENER = (IPC,TCP)
srvctl stop listener
srvctl start listener
步骤三:回退
1. remote_listener参数回退.
alter system set remote_listener='192.168.XX.11:1521' scope=both sid='*';
show paraemter remote_listener
srvctl modify scan_listener -p TCP:1521
6. 重启scan_listenr,listenr,数据库实例.
总 结
Oracle远程监听投毒漏洞主要影响11g版本,11.2.0.4以下版本可以参考My Oracle Support Note 1340831.1文档,筛选涉及到的版本进行配置修复。11.0.2.4版本修复比较简单,具体参考My Oracle Support Note 1600630.1。
本文作者:金震宇(上海新炬王翦团队)
本文来源:“IT那活儿”公众号
最后修改时间:2022-08-22 09:38:10
文章转载自IT那活儿,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
