Turning off dynamic listener registration on non-RAC systems to protect against “Oracle TNS Listener Poison Attack”
May 24, 2012 Leave a comment
Environment: Oracle database 188.8.131.52 64-bit, Oracle Linux 6.2 64-bit
Oracle recently released a security alert (CVE-2012-1675) where they warn against a possible “Oracle TNS Listener Poison Attack”. There is no real fix, but there are a number of workarounds that you can use to protect your listeners against unauthorised hijacking.
One of the workarounds involves turning off dynamic registration of database instances by the listener service. However, this workaround can only be used for stand-alone, non-RAC installations. For RAC, you can implement secure transports, which are explained in My Oracle Support document 1453883.1 (if you have access to Oracle support).
Dynamic registration is by default turned on in Oracle 11g. To turn it off, there are two things you need to modify in your $ORACLE_HOME/network/listener.ora file:
First, you need to add a description for all the database instances that the listener will handle. If you fail to do this, any clients trying to connect will receive “ORA-12154: TNS:could not resolve the connect identifier specified” errors after you turned off the dynamic registration.
This is an example for my instance “oratst.mydomain.com”:
SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = oratst.mydomain.com) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1) (SID_NAME = oratst) ) )
Note: the GLOBAL_DBNAME and SID_NAME can be found by checking the Oracle initialization parameters db_name, db_domain and instance_name.
Next, to turn off dynamic registration, you need to add the following line to the listener.ora file:
DYNAMIC_REGISTRATION_LISTENER = OFF
This is how my full listener.ora file now looks like:
# listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora # Generated by Oracle configuration tools. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = oracle-tst.mydomain.com)(PORT = 1521)) ) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = oratst.mydomain.com) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1) (SID_NAME = oratst) ) ) ADR_BASE_LISTENER = /u01/app/oracle # needed to solve a conflict with the ONS service installed in the OHS home # see metalink note 284602.1 SUBSCRIBE_FOR_NODE_DOWN_EVENT_LISTENER = OFF DYNAMIC_REGISTRATION_LISTENER = OFF
After this, use the listener control utility (lsnrctl) to reload your listener’s configuration, and check the status of the services and the dynamic registration:
>lsnrctl LSNRCTL for Linux: Version 184.108.40.206.0 - Production on 24-MAY-2012 13:45:49 Copyright (c) 1991, 2011, Oracle. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> reload Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-tst.mydomain.com)(PORT=1521))) The command completed successfully LSNRCTL> services Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-tst.mydomain.com)(PORT=1521))) Services Summary... Service "oratst.mydomain.com" has 1 instance(s). Instance "oratst", status UNKNOWN, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 LOCAL SERVER The command completed successfully LSNRCTL> show dynamic_registration Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oracle-tst.mydomain.com)(PORT=1521))) LISTENER parameter "dynamic_registration" set to OFF The command completed successfully
Note: the status “UNKNOWN” is normal when you are not using dynamic registration.
Finally, check if you can still connect to the database using a remote client!