-
1
- #1
Oracle Corp. has just issued the following security alert:
Vulnerability in the Oracle Listener Program
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Versions Affected
~~~~~~~~~~~~~~~~~
Oracle listener program releases 7.3.4, 8.0.6 and 8.1.6
Platforms Affected
~~~~~~~~~~~~~~~~~~
All platforms except Open VMS.
Description
~~~~~~~~~~~
A security vulnerability in the listener program of the Oracle Enterprise Server has been
discovered. Using this vulnerability, a knowledgeable and malicious attacker can potentially
gain a higher level of access to the Oracle owner account and Oracle databases and introduce
malicious code into various operating systems.
The commands SET LOG_FILE and SET TRC_FILE allow the log and trace files, respectively, to
which the listener program writes, to be modified dynamically while the listener program is
running. The listener program can be configured to append and/or overwrite logging and tracing
information to any operating system file that can be written by the Oracle owner, such as an
alert file or a database file, and thereby corrupt an Oracle database and potentially
introduce malicious code into the operating system.
Workaround
~~~~~~~~~~
You must apply the patch as soon as it is available for your platform. However, an
interim workaround until the patch is available for your platform is to password
protect the listener. Once the listener has been password
protected the SET LOG_FILE and SET TRACE_FILE commands in lsnrctl will not
work without a password.
For instructions on how to password protect the listener see the following:
<Note:92602.1> How to password protect your listener
In addition to setting the listener password you should also set up your
permissions to limit who can has access to the listener.ora file and the
lsnrctl executable.
Patches
~~~~~~~
The generic bug filed against the Oracle listener program is 1361722.
The patch for this exploit allows a database administrator to restrict run-time administration
of the Oracle listener program. A new parameter, ADMIN_RESTRICTIONS_LISTENER, has been
introduced into listener.ora, the control file for the Oracle listener program. Setting
ADMIN_RESTRICTIONS_LISTENER=ON prevents the vulnerability from being exploited by disabling
the run-time modification of parameters in listener.ora. That is, the listener program will
refuse to accept SET commands that alter its parameters and attempting to issue a SET command
will result in the generation of an error message. Thus, to change any one of the parameters
in listener.ora, including ADMIN_RESTRICTIONS_LISTENER itself, this file needs to be edited
manually and its parameters need to be reloaded manually (e.g., LSNRCTL RELOAD) for the new
changes to take effect without explicitly stopping and restarting the listener program.
Operating system access to the protected Oracle account owner directories and files is
required to edit listener.ora. Note that the Oracle account owner directories and files must
be protected in the operating system by setting the access control permissions on them as
recommended by Oracle Corporation in its user manuals.
ADMIN_RESTRICTIONS_LISTENER=OFF is the default value when the listener program is installed in
order to maintain current customer environments and backward compatibility. There is no change
in the run-time behavior of the listener program or in syntax of the SET commands in this mode
of operation.
Oracle Corporation recommends establishing the listener program password in this mode of
operation.
Patches are available in MetaLink. Login to MetaLink at Choose
the Patches button and select SQL*Net from the drop-down product list.
The patches are also avialable for download fromthe Oracle FTP server.
FTP Server Patch Locations
--------------------------
Compaq Tru64 UNIX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81620/bug1399204
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81600/bug1399208
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81500/bug1399209
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/80600/bug1399212
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/73400/bug1399214
Fujitsu UXP/DS
ftp://oracle-ftp.oracle.com/server/patchsets/unix/FUJITSU_UXPDS/806/bug1414374
ftp://oracle-ftp.oracle.com/server/patchsets/unix/FUJITSU_UXPDS/7345/bug1414392
Hitachi 3050/R Risc UNIX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/8.0.5/bug1414786
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/7.3.4/bug1414768
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/8.0.6/bug1414795
HP 9000 Series HP-UX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81620/11.0.32/bug1398177
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/8150/32bit/bug1398199
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/11.00/80610/bug1398216
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/11.00/32bit/7345/bug1398229
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81600/32bit/bug1398259
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/7345/10.20/7345/bug1398278
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81600/64bit/bug1398288
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/8150/64bit/bug1398292
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/806/11.00/64bit/bug1398299
IBM RS 6000 AIX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81620/bug1399170
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81600/bug1399179
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81500/bug1399185
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/80600/bug1399190
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/734/bug1399191
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/81600/bug1399194
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/81500/bug1399196
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/80600/bug1399201
Intel Based Server LINUX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/8161/bug1399217
ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/815/bug1399218
ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/806/bug1399222
Sun SPARC Solaris
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/8062/bug1389364
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/815/bug1389366
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81600/bug1389370
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81610/bug1389378
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81620/bug1389380
References
~~~~~~~~~~
<BUG:1361722>
Vulnerability in the Oracle Listener Program
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Versions Affected
~~~~~~~~~~~~~~~~~
Oracle listener program releases 7.3.4, 8.0.6 and 8.1.6
Platforms Affected
~~~~~~~~~~~~~~~~~~
All platforms except Open VMS.
Description
~~~~~~~~~~~
A security vulnerability in the listener program of the Oracle Enterprise Server has been
discovered. Using this vulnerability, a knowledgeable and malicious attacker can potentially
gain a higher level of access to the Oracle owner account and Oracle databases and introduce
malicious code into various operating systems.
The commands SET LOG_FILE and SET TRC_FILE allow the log and trace files, respectively, to
which the listener program writes, to be modified dynamically while the listener program is
running. The listener program can be configured to append and/or overwrite logging and tracing
information to any operating system file that can be written by the Oracle owner, such as an
alert file or a database file, and thereby corrupt an Oracle database and potentially
introduce malicious code into the operating system.
Workaround
~~~~~~~~~~
You must apply the patch as soon as it is available for your platform. However, an
interim workaround until the patch is available for your platform is to password
protect the listener. Once the listener has been password
protected the SET LOG_FILE and SET TRACE_FILE commands in lsnrctl will not
work without a password.
For instructions on how to password protect the listener see the following:
<Note:92602.1> How to password protect your listener
In addition to setting the listener password you should also set up your
permissions to limit who can has access to the listener.ora file and the
lsnrctl executable.
Patches
~~~~~~~
The generic bug filed against the Oracle listener program is 1361722.
The patch for this exploit allows a database administrator to restrict run-time administration
of the Oracle listener program. A new parameter, ADMIN_RESTRICTIONS_LISTENER, has been
introduced into listener.ora, the control file for the Oracle listener program. Setting
ADMIN_RESTRICTIONS_LISTENER=ON prevents the vulnerability from being exploited by disabling
the run-time modification of parameters in listener.ora. That is, the listener program will
refuse to accept SET commands that alter its parameters and attempting to issue a SET command
will result in the generation of an error message. Thus, to change any one of the parameters
in listener.ora, including ADMIN_RESTRICTIONS_LISTENER itself, this file needs to be edited
manually and its parameters need to be reloaded manually (e.g., LSNRCTL RELOAD) for the new
changes to take effect without explicitly stopping and restarting the listener program.
Operating system access to the protected Oracle account owner directories and files is
required to edit listener.ora. Note that the Oracle account owner directories and files must
be protected in the operating system by setting the access control permissions on them as
recommended by Oracle Corporation in its user manuals.
ADMIN_RESTRICTIONS_LISTENER=OFF is the default value when the listener program is installed in
order to maintain current customer environments and backward compatibility. There is no change
in the run-time behavior of the listener program or in syntax of the SET commands in this mode
of operation.
Oracle Corporation recommends establishing the listener program password in this mode of
operation.
Patches are available in MetaLink. Login to MetaLink at Choose
the Patches button and select SQL*Net from the drop-down product list.
The patches are also avialable for download fromthe Oracle FTP server.
FTP Server Patch Locations
--------------------------
Compaq Tru64 UNIX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81620/bug1399204
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81600/bug1399208
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/81500/bug1399209
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/80600/bug1399212
ftp://oracle-ftp.oracle.com/server/patchsets/unix/ALPHA_OSF/73400/bug1399214
Fujitsu UXP/DS
ftp://oracle-ftp.oracle.com/server/patchsets/unix/FUJITSU_UXPDS/806/bug1414374
ftp://oracle-ftp.oracle.com/server/patchsets/unix/FUJITSU_UXPDS/7345/bug1414392
Hitachi 3050/R Risc UNIX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/8.0.5/bug1414786
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/7.3.4/bug1414768
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HITACHI_3050RX/8.0.6/bug1414795
HP 9000 Series HP-UX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81620/11.0.32/bug1398177
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/8150/32bit/bug1398199
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/11.00/80610/bug1398216
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/11.00/32bit/7345/bug1398229
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81600/32bit/bug1398259
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/7345/10.20/7345/bug1398278
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/81600/64bit/bug1398288
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/8150/64bit/bug1398292
ftp://oracle-ftp.oracle.com/server/patchsets/unix/HP9800/806/11.00/64bit/bug1398299
IBM RS 6000 AIX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81620/bug1399170
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81600/bug1399179
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/81500/bug1399185
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/80600/bug1399190
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_32BIT/734/bug1399191
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/81600/bug1399194
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/81500/bug1399196
ftp://oracle-ftp.oracle.com/server/patchsets/unix/IBM_RS6000_64BIT/80600/bug1399201
Intel Based Server LINUX
ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/8161/bug1399217
ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/815/bug1399218
ftp://oracle-ftp.oracle.com/server/patchsets/unix/LINUX/806/bug1399222
Sun SPARC Solaris
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/8062/bug1389364
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/815/bug1389366
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81600/bug1389370
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81610/bug1389378
ftp://oracle-ftp.oracle.com/server/patchsets/unix/SUN_SOLARIS2/81620/bug1389380
References
~~~~~~~~~~
<BUG:1361722>
