说明
Oracle Database Server
在实现上存在可允许攻击者向远程“TNS Listener”组件处理的数据投毒的漏洞。攻击者可利用此漏洞将数据库服务器的合法“TNS Listener”组件中的数据转向到攻击者控制的系统,导致控制远程组件的数据库实例,造成组件和合法数据库之间的攻击者攻击、会话劫持或拒绝服务攻击。现以限制监听注册的方法来阻止该监听投毒漏洞。
注意,该文档适用于
10.2.0.3 to 11.2.0.3
版本的单机或者rac数据库。
如果是11204的数据库,可以参考
文档 ID 1600630.1,参考文档最下方
前期准备工作
关键补丁检查
存在该补丁12880299。
创建wallet
用户
节点
1 Oracle
用户下:
mkdir /oracle/grid/crs_1/network/admin/cost
$ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) , , Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
密码设置为uni09net
orapki wallet remove -trusted_cert_all -wallet /oracle/grid/crs_1/network/admin/cost
(该步骤可忽略,目的是删除cost
里面的所有内容)
将节点1
加到wallet
里去
orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) , , Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
PKI-0: Unable to load the wallet at: /oracle/grid/crs_1/network/admin/cost
[oracle@apple1 ~]$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) , , Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
展示cost内的内容:
orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary
$ orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) , , Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=secure_register
Trusted Certificates:
Subject: CN=secure_register
将cost
文件复制到二节点 oracle
用户下(
提前创建好目录)
scp /oracle/grid/crs_1/network/admin/cost/ewallet.p12 apple2:/oracle/grid/crs_1/network/admin/cost
用户下,两节点创建sso
文件
orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login
$ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) , , Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
权限修改
chmod 640 cwallet.sso
-rw-r-----. 1 oracle oinstall 2485 Aug 2 09:09 cwallet.sso
-rw-------. 1 oracle oinstall 2408 Aug 2 09:07 ewallet.p12
修改listener.ora,
添加一下内容
注意,
所有节点,
GI_HOME
的
listener.ora
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /oracle/grid/crs_1/network/admin/cost)
)
)
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
####
一个scan就写一个,多个就继续添加如下
#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)
#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)
配置scan_listener
$ srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
srvctl modify scan_listener -p TCP:1521/TCPS:1523
(grid
用户下)
srvctl stop scan_listener
srvctl start scan_listener
srvctl config scan_listener
SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523
修改sqlnet.ora
文件
两节点的Oracle
用户下:
vi $ORACLE_HOME/network/admin/sqlnet.ora ##
没有该文件直接创建
添加一下信息:
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /oracle/grid/crs_1/network/admin/cost))
)
)
添加完之后,两节点数据库重启
修改remote_listener
参数
原来的:
SQL> show parameter remote_listener
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_listener string apple-scan:1521
修改后
alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.240.195)(PORT=1523)))' scope=both sid='*';
SQL> show parameter remote
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_dependencies_mode string TIMESTAMP
remote_listener string (ADDRESS_LIST=(ADDRESS=(PROTOC
OL=TCPS)(HOST=192.168.240.195)
(PORT=1523)))
2.5
将两个节点grid下面的listener.ora中的注释删掉并重启scan监听
#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)
[oracle@rac1]$ srvctl stop scan_listener
[oracle@rac1]$ srvctl start scan_listener
测试成果
测试1 :将其他rac库的remote listener参数改成如下,192.168.240.195为scan ip
alter system set remote_listener ='192.168.240.195:1521';
可以看到日志中如下,说明阻止了其他rac注册到监听中
Tue Jul 31 13:12:45
31-JUL- 13:12:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0
Tue Jul 31 13:13:45
31-JUL- 13:13:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0
Tue Jul 31 13:14:39
31-JUL- 13:14:39 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
31-JUL- 13:14:39 * service_register_NSGR * 1194
TNS-01194: The listener command did not arrive in a secure transport
测试2:
C:\Users\think>sqlplus system/oracle@192.168.240.195:1521/prod
SQL*Plus: Release 11.2.0.4.0 Production on
星期二 7月 31 13:32:14
Copyright (c) 1982, , Oracle. All rights reserved.
连接到:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> exit
监听配置
Add the COST TCP protocol restriction "SECURE_REGISTER_[listener_name] = (TCP)" to the listener.ora.
Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g., If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)
LISTENER_PROD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
)
)
SECURE_REGISTER_LISTENER_PROD = (TCP)##
这个是单机的
The database must be using the TCP protocol to register with the listener. Check the value of the startup parameter local_listener to confirm.
Important for grid installations: The grid agent uses the IPC protocol to contact and manage the listener so both IPC and TCP must be enabled in this step.
For a grid environment use the following value, ###
下面这个是rac的监听
SECURE_REGISTER_LISTENER_PROD = (IPC,TCP)
1 alter system set remote_listener='apple-scan:1521' sid='*';
2 rm -rf /oracle/grid/crs_1/network/admin/cost
两节点
3 /oracle/grid/crs_1/network/admin/listener.ora
中添加的注释掉 两节点
4 $ORACLE_HOME/network/amdin/sqlnet.ora
中添加的东西注释掉 两节点数据库重启
5 grid
用户下配置scan_listener
srvctl modify scan_listener -p TCP:1521
srvctl stop scan_listener
srvctl start scan_listener
关于 11204
数据监听偷渡的修改,
VALID_NODE_CHECKING_REGISTRATION
_listener_name
Values:
OFF/0 - Disable VNCR
ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.
SUBNET/2 - All machines in the subnet are allowed registration.
12c
默认是 ON,11204默认是off;
在listener.ora 将参数添加重启监听即可。
。。。。=ON
如果觉得《oracle数据投毒 Oracle 监听投毒COST解决》对你有帮助,请点赞、收藏,并留下你的观点哦!