cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Set dynamic_registration=off due to Oracle bug?

Go to solution
Former Member

on ‎04-30-2012 10:45 AM

0 Kudos

According to heise Security News there exists an Oracle bug which allows malicious listeners:

http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-injected-listeners-1563150...

I have searched OSS and SDN, but so far it seems there is no recommendation from SAP.

Should we set proactively dynamic_registration = off in the listener.ora (for non-clustered systems)?

Or should we wait until Oracle releases a bugfix and keep fingers crossed?

Regards,

Mark

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

stefan_koehler
Active Contributor
‎04-30-2012 11:21 AM
0 Kudos

Hello Mark,

well it depends on your listener configuration. Afaik SAP uses static listener registration and not the dynamic registration by PMON (because of startsap and dbstart). In some cases (like Data Guard with Broker, etc.) you need to use the dynamic registration.

Here is an example of the impact, if you are using dynamic registration and setting the parameter "DYNAMIC_REGISTRATION_listener_name".

SQL> show parameter local_listener
NAME                     TYPE     VALUE
------------------------------------ ----------- ------------------------------
local_listener                 string     11G
************ WITH DYNAMIC_REGISTRATION_LISTENER = ON ************
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))
Services Summary...
Service "11G" has 1 instance(s).
  Instance "11G", status READY, has 1 handler(s) for this service...
The command completed successfully
************ WITH DYNAMIC_REGISTRATION_LISTENER = OFF ************
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))
The listener supports no services
The command completed successfully

http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm#BGBCEJHE

However if you check your listener.ora file and you see a static definition - the setting has no impact on a single instance environment.

Best Regards

Stefan

Show replies
Show replies
Former Member
‎05-02-2012 9:02 AM
0 Kudos

Hello Stefan,

thanks a lot for the helpful information! I checked my systems and they do have dynamic listener registration. This is also the default according to the Oracle documentation. I just wonder whether there will be some reaction by SAP.

Regards,

Mark

stefan_koehler
Active Contributor
‎05-02-2012 9:44 AM
0 Kudos

Hello Mark,

are you quite sure that you use the dynamic registration? None of our SAP systems is using dynamic registration. The important part is the status of the listening services to see the difference. Here is an example.

************ WITH DYNAMIC REGISTRATION ************  
Listening Endpoints Summary...  
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))  
Services Summary...  
Service "11G" has 1 instance(s).  
  Instance "11G", status READY, has 1 handler(s) for this service...  
The command completed successfully
************ WITHOUT DYNAMIC REGISTRATION ************  
Listening Endpoints Summary...  
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))  
Services Summary...  
Service "11G" has 1 instance(s).  
  Instance "11G", status UNKNOWN, has 1 handler(s) for this service...  
The command completed successfully   

You can also check your listener.ora file for an entry like "SID_LIST_<NAME>". If you find something like that you are using the static registration (and maybe the dynamic in addition).

Regards

Stefan

Former Member
‎05-02-2012 10:57 AM
0 Kudos

Hello Stefan,

for me the Oracle documentation is (as usual) very explicit. Dynamic registration is turned on per default. If I don't find a setting in the listner.ora, then dynamic registration is enabled. This is confirmed by my tests. I haven't found a single listner.ora with the dynamic registration being specified, so it is turned on:

LSNRCTL> show dynamic_registration

Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=XS2.WORLD))

LISTENER parameter "dynamic_registration" set to ON

The command completed successfully

And that is the case for all SAP on Oracle systems I know.

Regards,

Mark

stefan_koehler
Active Contributor
‎05-02-2012 11:13 AM
0 Kudos

Hello Mark,

yes you are right, that is enabled by default. But if you are using it is another point. You only have an impact, if you are using that feature in a SAP environment (like Data Guard, etc.) for connecting to an oracle database.

The dynamic registration is only used on the listener port 1521 (by default) and if you are running your Oracle listener on any other port you have to configure it with the "local_listener" parameter (see my example from above).

Regards

Stefan

Former Member
‎05-03-2012 8:58 AM
0 Kudos

I just got the information from SAP that they are working on a SAP note, so let's see what the note will contain.

Former Member
‎05-07-2012 9:31 AM
0 Kudos

The SAP note 1714255 has arrived, that was a quick respone!

https://service.sap.com/sap/support/notes/1714255

The SAP note says that all Oracle listeners are affected by the bug and should be secured, because dynamic registration is enabled by default.

Former Member
‎02-11-2015 3:20 PM
0 Kudos

Hy Stefan

I wanted to ask if the procedure is the same for Oracle 10g.

I do not have the listener on the standard port 1521 but port 1527.

I'm following SAP Note 1714255 - Restrict Instance Registration for non-RAC environments of this part: Alternate option without implementation COST

Can you help me understand?

Thanks in advance

Hello

Sandro

Answers (0)

Ask a Question