Oracle Database TNS Poison Attacks CVE-2012-1675 - Integrigy
[Pages:27]Oracle Database TNS Poisoning Attacks (CVE-2012-1675)
September 29, 2016
Stephen Kost Chief Technology Officer Integrigy Corporation
Phil Reimann Director of Business Development Integrigy Corporation
About Integrigy
ERP Applications
Oracle E-Business Suite
Databases
Oracle and Microsoft SQL Server
Products
AppSentry
ERP Application and Database Security Auditing Tool
AppDefend
Enterprise Application Firewall for the Oracle E-Business Suite
Validates Security
Protects Oracle EBS
Verify Security
Ensure Compliance
Build Security
Services
Security Assessments
ERP, Database, Sensitive Data, Pen Testing
Compliance Assistance
SOX, PCI, HIPAA
Security Design Services
Auditing, Encryption, DMZ
You
Why are we talking about an Oracle Database security vulnerability reported to Oracle in
2008?
60% of databases assessed
by Integrigy are vulnerable
Not fixed or enabled by default in
11.2.0.4 and prior
Vulnerability Timeline
1 Joxean Koret reports security bug to Oracle
3 Oracle releases one-off advisory with work-arounds
Vulnerable 5 databases everywhere
2008
April 17
2012
April 30
2012
June 20
2014
2016
Joxean Koret 2 releases details believing bug fixed in April 2012 CPU
Oracle updates 4 advisory confirming
11.2.0.4 vulnerable 8
months after release
Oracle Database Listener Registration
Listener registration allows a database to
register dynamically with the TNS listener
Static service entries not required in listener.ora for ease of management ? Local Registration
Controlled by initialization parameters LOCAL_LISTENER, REMOTE_LISTENER , DISPATCHERS
Remote registration used by RAC to
register databases in a clustered environment
TNS Poisoning Attack ? One-off ? April 30, 2012
Vuln # CVE-2012-1675
Component Listener
Protocol Oracle Net
Package and/or Privilege Required
None
Remote Exploit without Auth.?
Yes
CVSS VERSION 2.0 RISK
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
Last Affected Patch set (per
Supported Release)
7.5 Network Low
None
Partial+
Partial+
Partial
ALL VERSIONS
This vulnerability is not patched by a SPU or PSU. The TNS Listener configuration must be secured.
ALL VERSIONS of the Oracle Database are affected. 12c (12.1.0.1 and 12.1.0.2) are protected by default, but vulnerable if
Valid Node Checking Registration (VNCR) is disabled.
TNS Poisoning Attack ? One-off ? April 30, 2012
Vuln # CVE-2012-1675
Component Listener
Protocol Oracle Net
Package and/or Privilege Required
None
Remote Exploit without Auth.?
Yes
CVSS VERSION 2.0 RISK
Base Score
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability
Last Affected Patch set (per
Supported Release)
7.5 Network Low
None
Partial+
Partial+
Partial
ALL VERSIONS
This vulnerability is not patched by a SPU or PSU. The TNS Listener configuration must be secured.
ALL VERSIONS of the Oracle Database are affected. 12c (12.1.0.1 and 12.1.0.2) are protected by default, but vulnerable if
Valid Node Checking Registration (VNCR) is disabled.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- oracle database tns poison attacks cve 2012 1675 integrigy
- the listener algernon blackwood
- oracle net listener connection rate limiter
- oracle application express listener
- how to be a great listener gottsex
- are you a good listener by sarah sahr webinars webcasts lms
- the listener season 1 episode 3
- rechargeable stereo wireless headset auriculares inalámbricos estéreo
- oracle single client access name scan
- oracle database tns listener poison attack joxean koret
Related searches
- oracle database examples download
- oracle database 11g download free
- oracle database 11g sql pdf
- sample oracle database download
- testing oracle database examples
- oracle database xe
- oracle database 10g express edition download
- oracle database online practice
- oracle database 11g xe express download
- download oracle database 11
- oracle database 19c
- oracle database pdf