Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28016
HistoryMay 01, 2012 - 12:00 a.m.

Re: The history of a -probably- 13 years old Oracle bug: TNS Poison

2012-05-0100:00:00
vulners.com
89
JSON

I wanted to comment on the workarounds for this problem:

1) Setting SQLNET.ENCRYPTION_SERVER=REQUIRED on the server is not enough to protect you.
To avoid "man in the middle" attacks, you need to have an SSL certificate on
the server and SSL_SERVER_DN_MATCH=TRUE in the client's sqlnet.ora.

2) Another way to protect yourself in Oracle 11.1 or better is to configure the listener
to only accept registration requests from the local machine by adding
SECURE_REGISTER_<listener>=(IPC) to listener.ora.
The databases must be configured with LOCAL_LISTENER='(ADDRESS=(PROTOCOL=IPC)(KEY=<like in listener.ora>))'

Yours,
Laurenz Albe

JSON