此次有用户正好大规模安全漏洞扫描后,发现此漏洞,该漏洞存在于Oracle DB的所有版本中,当然10g和11g均中招.
1. Vulnerability Description(漏洞描述)
This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which hasbeen recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.
Oracle 2012年发布的告警,CVE-2012-1675漏洞是Oracle允许攻击者在不提供用户名/密码的情况下,向远程“TNS Listener”组件处理的数据投毒的漏洞。举例:攻击者可以再不需要用户名密码的情况下利用网络中传送的数据消息(包括加密或者非加密的数据),如果结合(CVE-2012-3137漏洞进行密码破解)从而进一步影响甚至控制局域网内的任何一台数据库。
2.针对该漏洞,oracle给出了2种不同环境的解决方法:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html Recommendations for protecting against this vulnerability can be found at: My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC). My Oracle Support Note 1453883.1 for Oracle Database deployments that do not u
举例说明下(非RAC)单实例情况下的修复和测试方式:图2 中的被劫持的数据库的listener.ora加上:
SE