CVE-2012-1675
描述:
The remote Oracle TNS listener allows service registration from a remote host. An attacker can exploit this issue to divert data from a legitimate database server or client to an attacker-specified system.
Successful exploits will allow the attacker to manipulate database instances, potentially facilitating man-in-the-middle, session- hijacking, or denial of service attacks on a legitimate database server.
Solution
Apply the workaround in Oracle's advisory.
11.2.0.4之前的版本:文件 ID 1453883.1
https://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
官方解決方案:
11.2.0.4及之後的版本:文件 ID 1600630.1
單機的話,就直接在listener.ora檔案末尾新增一句話:(listener_name要改成自己監聽的名字)
VALID_NODE_CHECKING_REGISTRATION_listener_name=ON
之後重啟:
IMPORTANT NOTE: A restart (not reload) of the listener process will be necessary after making the changes to VNCR in the listener.ora file:
LSNRCTL>set current_listener listener_name
LSNRCTL>stop
LSNRCTL>start