That depends......and “SECURE_REGISTER_LISTENER = (IPC)” work-around...
Using the IPC workaround should NOT interrupt "normal" client connections. Did you also set the IPC keyname in listener.ora AND listener_local database server init.ora parameter?
Before any changes, I successfully registered a remote windows XE db to a linux XE db listener, showing my linux db was vulnerable to the poison attack.
(lsnrctl services on the linux db server showed a "REMOTE SERVER" entry).
Applying the following changes stopped the exploit from being carried out:
listener.ora of 11.2 linux XE db to disallow remote db registering:# listener.ora Network Configuration File:SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/xe) (PROGRAM = extproc) ) )LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE)) (ADDRESS = (PROTOCOL = TCP)(HOST = oraserver)(PORT = 1512)) ) )DEFAULT_SERVICE_LISTENER = (XE)SECURE_REGISTER_LISTENER = (IPC)
I bounced the listener (lsnrctl stop,... lsnrctl start)
Then configured linux xe db local_listener parameter:SQL> ALTER SYSTEM SET local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC_FOR_XE)))' SCOPE=BOTH;system altered
...and tried to re-register windows XE db...SQL> ALTER SYSTEM SET remote_listener ='...' SCOPE=MEMORY;system alteredSQL> ALTER SYSTEM REGISTER;system altered
Checked linux XE listener.log... and it had19-JAN-2017 16:03:28 * service_register_NSGR * 1194TNS-01194: The listener command did not arrive in a secure transport
showing failed register attempts from a "remote" db. Also running "lsnrctl services" on the linux server, there was no "REMOTE SERVER" listed.
Also tested a remote client connection via sqlplus:F:\> sqlplus name/[email protected]> select * from v$version;BANNER--------------------------------------------------------------------------------Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit ProductionPL/SQL Release 11.2.0.2.0 - ProductionCORE 11.2.0.2.0 ProductionTNS for Linux: Version 11.2.0.2.0 - ProductionNLSRTL Version 11.2.0.2.0 - Production
In conclusion, the above steps worked for me in securing an Oracle 11 XE db from the poison attack whilst still allowing normal client connections
I can only surmise you didn't follow the steps correctly to set up the IPC "work around".
Cheers,
Gaz.