[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The history of a -probably- 13 years old Oracle bug: TNS Poison

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: The history of a -probably- 13 years old Oracle bug: TNS Poison
From: laurenz.albe@xxxxxxxxxx
Date: Thu, 26 Apr 2012 12:35:57 GMT

I wanted to comment on the workarounds for this problem:

1) Setting SQLNET.ENCRYPTION_SERVER=REQUIRED on the server is not enough to 
protect you.
   To avoid "man in the middle" attacks, you need to have an SSL certificate on
   the server and SSL_SERVER_DN_MATCH=TRUE in the client's sqlnet.ora.

2) Another way to protect yourself in Oracle 11.1 or better is to configure the 
listener
   to only accept registration requests from the local machine by adding
   SECURE_REGISTER_<listener>=(IPC) to listener.ora.
   The databases must be configured with 
LOCAL_LISTENER='(ADDRESS=(PROTOCOL=IPC)(KEY=<like in listener.ora>))'

Yours,
Laurenz Albe

Prev by Date: Oracle TNS Poison vulnerability is actually a 0day with no patch available
Next by Date: PHP Volunteer Management 'id' 1.0.2 Multiple Vulnerabilities
Previous by thread: The history of a -probably- 13 years old Oracle bug: TNS Poison
Next by thread: Security advisory for Bugzilla 4.2.1, 4.0.6 and 3.6.9
Index(es):
- Date
- Thread