描述:
The remote Oracle TNS listener allows service registration from a remote host. An attacker can exploit this issue to divert data from a legitimate database server or client to an attacker-specified system.
Successful exploits will allow the attacker to manipulate database instances, potentially facilitating man-in-the-middle, session- hijacking, or denial of service attacks on a legitimate database server.
Solution
Apply the workaround in Oracle's advisory.
11.2.0.4之前的版本:文档 ID 1453883.1
https://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
官方解决方案:
11.2.0.4及之后的版本:文档 ID 1600630.1
单机的话,就直接在listener.ora文件末尾添加一句话:(listener_name要改成自己监听的名字)
VALID_NODE_CHECKING_REGISTRATION_listener_name=ON
之后重启:
IMPORTANT NOTE: A restart (not reload) of the listener process will be necessary after making the changes to VNCR in the listener.ora file:
LSNRCTL>set current_listener listener_name
LSNRCTL>stop
LSNRCTL>start