on 04-30-2012 10:45 AM
According to heise Security News there exists an Oracle bug which allows malicious listeners:
I have searched OSS and SDN, but so far it seems there is no recommendation from SAP.
Should we set proactively dynamic_registration = off in the listener.ora (for non-clustered systems)?
Or should we wait until Oracle releases a bugfix and keep fingers crossed?
Regards,
Mark
Hello Mark,
well it depends on your listener configuration. Afaik SAP uses static listener registration and not the dynamic registration by PMON (because of startsap and dbstart). In some cases (like Data Guard with Broker, etc.) you need to use the dynamic registration.
Here is an example of the impact, if you are using dynamic registration and setting the parameter "DYNAMIC_REGISTRATION_listener_name".
SQL> show parameter local_listener
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
local_listener string 11G
************ WITH DYNAMIC_REGISTRATION_LISTENER = ON ************
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))
Services Summary...
Service "11G" has 1 instance(s).
Instance "11G", status READY, has 1 handler(s) for this service...
The command completed successfully
************ WITH DYNAMIC_REGISTRATION_LISTENER = OFF ************
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))
The listener supports no services
The command completed successfully
http://docs.oracle.com/cd/E11882_01/network.112/e10835/listener.htm#BGBCEJHE
However if you check your listener.ora file and you see a static definition - the setting has no impact on a single instance environment.
Best Regards
Stefan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Mark,
are you quite sure that you use the dynamic registration? None of our SAP systems is using dynamic registration. The important part is the status of the listening services to see the difference. Here is an example.
************ WITH DYNAMIC REGISTRATION ************
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))
Services Summary...
Service "11G" has 1 instance(s).
Instance "11G", status READY, has 1 handler(s) for this service...
The command completed successfully
************ WITHOUT DYNAMIC REGISTRATION ************
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<HOSTNAME>)(PORT=1522)))
Services Summary...
Service "11G" has 1 instance(s).
Instance "11G", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
You can also check your listener.ora file for an entry like "SID_LIST_<NAME>". If you find something like that you are using the static registration (and maybe the dynamic in addition).
Regards
Stefan
Hello Stefan,
for me the Oracle documentation is (as usual) very explicit. Dynamic registration is turned on per default. If I don't find a setting in the listner.ora, then dynamic registration is enabled. This is confirmed by my tests. I haven't found a single listner.ora with the dynamic registration being specified, so it is turned on:
LSNRCTL> show dynamic_registration
Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=XS2.WORLD))
LISTENER parameter "dynamic_registration" set to ON
The command completed successfully
And that is the case for all SAP on Oracle systems I know.
Regards,
Mark
Hello Mark,
yes you are right, that is enabled by default. But if you are using it is another point. You only have an impact, if you are using that feature in a SAP environment (like Data Guard, etc.) for connecting to an oracle database.
The dynamic registration is only used on the listener port 1521 (by default) and if you are running your Oracle listener on any other port you have to configure it with the "local_listener" parameter (see my example from above).
Regards
Stefan
The SAP note 1714255 has arrived, that was a quick respone!
https://service.sap.com/sap/support/notes/1714255
The SAP note says that all Oracle listeners are affected by the bug and should be secured, because dynamic registration is enabled by default.
Hy Stefan
I wanted to ask if the procedure is the same for Oracle 10g.
I do not have the listener on the standard port 1521 but port 1527.
I'm following SAP Note 1714255 - Restrict Instance Registration for non-RAC environments of this part: Alternate option without implementation COST
Can you help me understand?
Thanks in advance
Hello
Sandro
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.