OSVDB ID: 9475 Title: Oracle Net Listener Listener Control Utility (LSNRCTL) listener.ora Format String DoS |
Info |
|
|
Dates |
||||
|
|
Description |
Classification |
Location:
Local Access Required,
Local / Remote,
Context Dependent
Attack Type: Denial of Service, Input Manipulation Impact: Loss of Integrity, Loss of Availability Disclosure: Vendor Verified |
Solution |
Workaround: In addition to available patches, Oracle strongly urges customers to take the following steps to address the vulnerabilities identified above. 1. Configure listener password to prevent unauthorized users from administering the listener. Alternatively, set ADMIN_RESTRICTIONS_listener_name=ON in listener.ora to completely disable the runtime modification of listener’s configuration parameters. 2. Set appropriate Operating System directory and file permissions on the Listener configuration file, listener.ora. For example: Unix: $ chmod 600 $ORACLE_HOME/network/admin/listener.ora Windows: File properties > Security > Permissions … 3. Do not attempt to start an Oracle Net Listener with an invalid name. Patch Information Oracle has fixed the potential vulnerabilities identified above under the base bug number 2395416. Download currently available patches from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). Activate the ‘Patches’ button to get to the patches Web page. Enter bug Number 2395416 as indicated above and activate the ‘Submit’ button. |
Products |
|
References |
|
Credit |
Unknown or Incomplete |