方案背景
机房的漏洞扫描中发现了一个oracle 漏洞:Oracle TNS Listener Remote Poisoning ,即 远程数据投毒漏洞(CVE-2012-1675 )。修复这个漏洞,需要修改listener.ora 文件,并重启监听,估计需要5 分钟停机窗口。
漏洞说明
该漏洞允许攻击者在不提供用户名 / 密码的情况下,向远程 “TNS Listener” 组件处理的数据投毒。 COST 是 class of secure transports 的缩写。是为了控制实例注册提供的一种安全控制机制。其作用是对于一个确定的 listener ,限制哪些实例通过哪些协议可以进行注册。这将避免有其他远程实例进行恶意注册,并由此产生信息泄露等风险。
它通过在 listner.ora 中设置参数 SECURE_REGISTER_listener_name 的值,指定为一个 transport list (限定的注册协议列表,如 IPC 、 TCP 、 TCPS )来实现这一功能。 该功能从 10.2.0.3 版本开始支持(虽然 10g R2 的在线文档中并未明确说明),一直到 11.2.0.4 版本及之后依然可用。但是,在 11.2.0.4 后, oracle 建议使用默认的 VNCR 配置。
修改步骤
1. 双节点执行,在当前listener.ora 文件中添加 VALID_NODE_CHECKING_REGISTRATION _listener_name=ON 和REGISTRATION_INVITED_NODES_LISTENER_SCAN1参数,修改前做好拷贝备份。
VALID_NODE_CHECKING_REGISTRATION _listener_name Values: OFF/0 - Disable VNCR ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register. SUBNET/2 - All machines in the subnet are allowed registration.
hzbk1:
|
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = +ASM1) (ORACLE_HOME = /oracle/grid/crs_1) ) ) SID_LIST_DBRA = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = hzbk) (ORACLE_HOME = /oracle/app/product/11.2.0.4/db_1) (SID_NAME = hzbk1) ) ) DBRA = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.255.239.21)(PORT = 1522)) ) ) #----ADDED BY TNSLSNR 05-SEP-2017 10:44:52--- LOGGING_LISTENER = OFF #-------------------------------------------- #----ADDED BY VNCR 20190527---- VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=( hzbike1, hzbike2) #-------------------------------
|
hzbk2 :
|
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent SID_LIST_DBRA = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = hzbk) (ORACLE_HOME = /oracle/app/product/11.2.0.4/db_1) (SID_NAME = hzbk2) ) ) DBRA = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.80.155)(PORT = 1522)) ) ) #----ADDED BY TNSLSNR 22-AUG-2017 10:33:14--- LOGGING_LISTENER_SCAN1 = OFF #-------------------------------------------- #----ADDED BY TNSLSNR 05-SEP-2017 11:01:17--- LOGGING_LISTENER = OFF #-------------------------------------------- #----ADDED BY VNCR 20190527---- VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=( hzbike1, hzbike2) #-------------------------------
|
2. 重启监听
任意节点执行,需要停机窗口,由于只是重启监听,所以时间很短,估计不到5分钟。
srvctl stop listener srvctl stop scan_listener srvctl stop scan srvctl start listener srvctl start scan_listener srvctl start scan
回退措施
双节点的listener.ora文件中去掉 VALID_NODE_CHECKING_REGISTRATION _listener_name和REGISTRATION_INVITED_NODES_LISTENER_SCAN1参数,再重启监听即可。
测试结果
1. 在RAC测试环境双节点的listener.ora中添加VNCR配置。
RAC1 :
RAC2 :
2. 重启监听
srvctl stop listener srvctl stop scan_listener srvctl stop scan srvctl start listener srvctl start scan_listener srvctl start scan
3. 在另一台数据库中(IP为192.168.202.10),修改remote_listener,修改值为RAC环境的scanIP。
alter system set remote_listener =' 192.168.210.84:1521';
4. 在RAC 数据库的listener_scan1.log 中, 可以看到监听日志中如下,说明阻止了其他数据库注册到监听中。
参考文档
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC ( 文档 ID 1340831.1)
Valid Node Checking For Registration (VNCR) ( 文档 ID 1600630.1)
1.Stop the listener
2.LISTENER.ORA
SECURE_REGISTER_LISTENER = (IPC)
3.LSNRCTL> start listener
--4.alter system register;
4.alter system set local_listener='(DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY= EXTPROC1521)))' scope = both;
5.LSNRCTL> services listener_prod
alter system set local _listener='' scope=both;
