VNCR is available on 11.2.0.4 and 12c so if the DB is 11.2.0.3 then COST is still the only option available against this attack. Below is an example of setting VNCR on a single instance database. For RAC with SCAN listeners refer the MOS listed at the end of the post.
The listener runs on server with IP 192.168.0.66 (hpc1.domain.net). Currently no DB is registered.
lsnrctl status LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:06:44 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production Start Date 22-FEB-2016 13:06:41 Uptime 0 days 0 hr. 0 min. 3 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora Listener Log File /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521))) The listener supports no services The command completed successfullyThe DB (something to register with this listener) runs on server with IP 192.168.0.99. To register with the listener on 192.168.0.66 add a remote listener entry on tnsnames.ora and register the database
cat tnsnames.ora
listener_name =
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.0.66)(PORT=1521))
)
SQL> alter system set remote_listener='listener_name' scope=both;
System altered.
SQL> alter system register;
System altered.Check the listener statuslsnrctl status LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:08:51 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production Start Date 22-FEB-2016 13:06:41 Uptime 0 days 0 hr. 2 min. 10 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora Listener Log File /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521))) Services Summary... Service "fgacdb" has 1 instance(s). Instance "fgacdb", status READY, has 1 handler(s) for this service... Service "fgacdbXDB" has 1 instance(s). Instance "fgacdb", status READY, has 1 handler(s) for this service... The command completed successfullyAbove shows that remote database has registered with the listener.
In order to prevent this type of remote registrations enable valid node checking on the listener. To enable VNCR on 11.2.0.4 add following entry to listener.ora file In this case the listener name is "LISTENER".
VALID_NODE_CHECKING_REGISTRATION_LISTENER=1Reload the listener and check the status. The remote listener registration is blocked.
$ lsnrctl reload $ lsnrctl status LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 22-FEB-2016 13:24:17 Copyright (c) 1991, 2013, Oracle. All rights reserved. Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hpc1.domain.net)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production Start Date 22-FEB-2016 13:06:41 Uptime 0 days 0 hr. 17 min. 35 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /opt/app/oracle/product/11.2.0/std4/network/admin/listener.ora Listener Log File /opt/app/oracle/diag/tnslsnr/hpc1/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hpc1.domain.net)(PORT=1521))) The listener supports no servicesAny attempt to register with the listener is blocked and the listener.log will have an entry similar to following
Listener(VNCR option 1) rejected Registration request from destination 192.168.0.99 22-FEB-2016 13:31:47 * service_register_NSGR * 1182 TNS-01182: Listener rejected registration of service ""On 12c is VNCR is enabled by default and any attempt for remote registration is rejected and listener log will have an entry as above.
Useful metalink notes
Valid Node Checking For Registration (VNCR) [ID 1600630.1]
How to Enable VNCR on RAC Database to Register only Local Instances [ID 1914282.1]
Related Posts
Implementing Class of Secure Transport (COST) to Restrict Instance Registration in Oracle 11gR2 SE RAC (Solution mentioned in Oracle Security Alert for CVE-2012-1675)
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle SE RAC Fails (Solution mentioned in Oracle Security Alert for CVE-2012-1675)
