Oracle 11.2.0.4 單實例和RAC修復方案
原文地址: https://www.codeleading.com/article/86962079425/
隨着對網絡安全的進一步重視,Oracle TNS 監聽器遠程中毒漏洞(CVE-2012-1675)被列為了高危漏洞,需要進行漏洞修復。
從Oracle 11.2.0.4開始,Oracle 引入了Valid Node Checking For Registration(VNCR)新特性,可以通過配置參數VALID_NODE_CHECKING_REGISTRATION_LISTENER來修復該漏洞。
1. 修復Oracle TNS 監聽器遠程中毒漏洞
1.1 修改監聽文件
vi $ORACLE_HOME/network/admin/listener.ora # listener.ora Network Configuration File: /u01/app/oracle/product/11.2.0/db_1/network/admin/listener.ora # Generated by Oracle configuration tools. SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ods) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1) (SID_NAME = ods) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = IP或主機名)(PORT = 1521)) # (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) --注釋掉,一般不會使用ipc,絕大部分應用使用tcp連接數據庫 ) ) ADR_BASE_LISTENER = /u01/app/oracle # 單實例只需要新增下面這一行就OK VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 # RAC需要新增下面三行,有多少個LISTENER_SCAN監聽就添加幾個 VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(添加rac節點的所有public IP,包括主機IP,VIP,SCANIP)
1.2 重新加載監聽
lsnrctl reload
lsnrctl reload listener_scan1 # RAC實例還需要執行該命令
2. 驗證漏洞修復情況
2.1. 注釋VNCR規則驗證監聽情況
2.1.1. 注釋掉listener.ora文件中的VNCR規則
# 單實例 # VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 # RAC # VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON # VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON # REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(所有的節點的所有public IP)
2.1.2. 並重新reload監聽
lsnrctl reload
lsnrctl reload listener_scan1 # RAC實例還需要執行該命令
2.1.3. 在其他數據庫上設置remote_listener
SQL> show parameter remote_listener SQL> alter system set remote_listener='(ADDRESS = (PROTOCOL = TCP)(HOST =ip)(PORT = 1521))' scope=memory; SQL> show parameter remote_listener SQL> alter system register;
2.1.4. 查看監聽服務信息
查看監聽服務信息中是否有“REMOTE SERVER”字樣,該字樣就是有該漏洞信息的標志:
$ lsnrctl services listener LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 04-SEP-2019 17:16:55 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))) Services Summary... Service "TESTDB" has 1 instance(s). Instance "TESTDB", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 state:blocked REMOTE SERVER (ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)) Service "ods" has 2 instance(s). Instance "ods", status UNKNOWN, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 LOCAL SERVER Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:2 refused:0 state:ready LOCAL SERVER Service "odsXDB" has 1 instance(s). Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "D000" established:0 refused:0 current:0 max:1022 state:ready DISPATCHER <machine: localhost, pid: 18481> (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=29037)) The command completed successfully
2.1.5. 查看監聽日志
04-SEP-2019 17:16:55 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ip)(USER=oracle))(COMMAND=services)(ARGUMENTS=64)(SERVICE=listener)(VERSION=186647552)) * services * 0 Wed Sep 04 17:17:21 2019 04-SEP-2019 17:17:21 * service_update * testdb * 0 Wed Sep 04 17:17:51 2019 04-SEP-2019 17:17:51 * service_update * testdb * 0 04-SEP-2019 17:17:54 * service_update * testdb * 0 04-SEP-2019 17:17:57 * service_update * testdb * 0 Wed Sep 04 17:18:21 2019 04-SEP-2019 17:18:21 * service_update * testdb * 0
以上信息說明有遠程注冊的的testdb。
2.2. 生效VNCR規則驗證監聽情況
2.2.1. 生效VNCR規則
# 單實例 VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 # RAC VALID_NODE_CHECKING_REGISTRATION_LISTENER=ON VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(所有的節點的所有public IP)
2.2.2. 重新加載監聽
lsnrctl reload
lsnrctl reload listener_scan1 # RAC實例還需要執行該命令
2.2.3. 在另一台數據庫操作
執行快速動態監聽注冊命令,因之前已經設置了remote server這里不需要在重新設置了,只需要執行alter system register命令即可。
SQL> alter system register;
2.2.4. 查看監聽服務信息
通過查看下面的監聽服務信息,已經沒有“REMOTE SERVER”字樣,說明此時漏洞已修復:
$ lsnrctl services listener LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 04-SEP-2019 17:26:12 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost(PORT=1521))) Services Summary... Service "ods" has 2 instance(s). Instance "ods", status UNKNOWN, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:0 refused:0 LOCAL SERVER Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "DEDICATED" established:3 refused:0 state:ready LOCAL SERVER Service "odsXDB" has 1 instance(s). Instance "ods", status READY, has 1 handler(s) for this service... Handler(s): "D000" established:0 refused:0 current:0 max:1022 state:ready DISPATCHER <machine: xxptods, pid: 18481> (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=29037)) The command completed successfully
2.2.5. 查看監聽日志
在下面的監聽日志中可以看到拒絕了遠程監聽注冊服務
Wed Sep 04 17:25:15 2019 Listener(VNCR option 1) rejected Registration request from destination 10.0.100.7 04-SEP-2019 17:25:15 * service_register_NSGR * 1182 TNS-01182: Listener rejected registration of service ""
3. 補充說明
3.1. VALID_NODE_CHECKING_REGISTRATION_listener_name
listener_name: 為監聽的名字
參數取值:
-
OFF/0 表示禁用VNCR,此功能不會對注冊過來的service進行check
-
ON/1/LOCAL 表示啟用VNCR,默認只允許本機的所有IP的服務注冊到本監聽,可通過REGISTRATION_INVITED_NODES參數添加其他有必要的服務器
-
SUBNET/2 表示指定子網內的服務器可以注冊過來
3.2. REGISTRATION_INVITED_NODES_listener-name
該參數控制允許鏈接過來的節點,可以通過IP地址/主機名/網段來指定
For example:REGISTRATION_INVITED_NODES_Listener=(net-vm1, 127.98.45.209, 127.42.5.*)
Note: that when an INVITED list is set, it will automatically include the machine’s local IP in the list. There is no need to include it.
3.3. 11.2.0.4和12c區別之處
在12.1 RAC數據庫上,listener的參數VALID_NODE_CHECKING_REGISTRATION_listener_name 默認設置為 SUBNET / 2,即子網中的所有計算機都允許注冊.所以12c默認不能解決CVE-2012-1675漏洞
4. 參考文檔
Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)