Oracle Database Discussions

Hi,

We have received Vulnerability report that has threat in several Oracle servers.

Threat

Oracle Enterprise Server ships with a server program called listener, which is used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections.

Due to this condition, unauthorized clients can connect to the listener and send it certain commands. Two such commands are 'SET TRC_FILE' and 'SET LOG_FILE', which allows the connecting client to tell the listener server what log files to use.

Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files). When an existing file name is used, it will be corrupted with Oracle log messages.

Impact

By exploiting this vulnerability, malicious users can rename the listener's log file to a new file or an existing file. In the latter case, the existing file will be corrupted.

Note that the existing file name does not need to have the ".log" extension in order to be corrupted.

Solution

1)Please set a password to the listener to prevent unauthorized remote access to it.

2)Alternatively, you may completely disable the runtime modification of listeners configuration parameters by adding "ADMIN_RESTRICTIONS_[name of listener]=ON" in listener.ora (where listener is the name of the listener). Note that if you are running versions 7.3.4, 8.0.6, 8.1.6, you will first need to install a patch from http://metalink.oracle.com (http://metalink.oracle.com) (generic bug number of 1361722) before doing this.

Note: Please be aware that changing any of the settings above require the listener to be restarted.

My findings

Here is the list of Oracle servers and it's details for solution 2.

Could you please check and suggest on the solution as to which one to implement for above threat?

Regards,

Bala