By Eric P. Maurice-Oracle on Apr 30, 2012
Hi, this is Eric Maurice.
Oracle just released Security Alert CVE-2012-1675 to address the “TNS Listener Poison Attack” in the Oracle Database. With a CVSS Base Score of 7.5, this vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database.
In the April 2012 Critical Patch Update, Oracle provided Security-in-Depth recognition to Joxean Koret. As stated in the Critical Patch Update advisories, “People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.”
As stated in previous blog entries, Oracle fixes vulnerability first in the main code line, and then tries to backport fixes through the Critical Patch Update program for exploitable vulnerabilities that were externally reported. In certain instances, such backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters).
Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a “0-day.”
As a result of this disclosure, Oracle has issued Security Alert CVE-2012-1675 to provide customers with a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios.
Customers on single-node configurations (i.e., non Real Application Cluster (RAC) customers) should refer to the My Oracle Support Note titled “Using Class of Secure Transport (COST) to Restrict Instance Registration” (Doc ID 1453883.1) to limit registration to the local node and the IPC protocol through the COST (Class Of Secure Transport) feature in the listener.
RAC and Exadata customers should refer to the My Oracle Support Note “Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC” (Doc ID 1340831.1) to implement similar COST restrictions.
Note that implementing COST restrictions in RAC environments require the use of SSL/TLS encryption. Such network encryption features were previously only available to customers who were licensed for Oracle Advanced Security. However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers the use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675. In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters.
Considering that the technical details of vulnerability CVE-2012-1675 have now widely been distributed, Oracle highly recommends that customers make the configuration changes documented in the above mentioned My Oracle Support Notes as soon as possible. Customers should also feel free to contact Oracle Support if they have questions or concerns.
For More Information:
- The Advisory for Security Alert CVE-2012-1675 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
- The My Oracle Support Note titled “Using Class of Secure Transport (COST) to Restrict Instance Registration” (Doc ID 1453883.1) is located at http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
- The My Oracle Support Note titled “Using Class of Secure Transport (COST) to Restrict Instance Registration with SCAN listeners” (Doc ID 1340831.1) is located at http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1340831.1
- Oracle’s security fixing policies are published on the Oracle Software Security Assurance web site located at http://www.oracle.com/us/support/assurance/index.html