Skip to Main Content
  • Questions
  • Oracle TNS poison attack vulnerability

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question.

Asked: October 19, 2020 - 3:30 am UTC

Answered by: Connor McDonald - Last updated: October 19, 2020 - 5:56 am UTC

Category: Database Administration - Version: 11.2.0.3.0

Viewed 100+ times

You Asked

Hi Team

We are running Non-RAC Oracle 11.2.0.3.0 and the TNS poison attack vulnerability (Oracle Security Alert for CVE-2012-1675 - https://www.oracle.com/security-alerts/alert-cve-2012-1675.html ) looks affected this version of Oracle.

What we have done:
* Have applied the latest version of Oracle critical patches update (July/2015) on 11.2.0.3.0

What we are expecting:
* We hope applying the latest CPU (July/2015) for 11.2.0.3.0 can fix it and no further actions required.

My question is:
* Do we still need to follow the steps in <Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)> mentioned in Oracle Security Alert for CVE-2012-1675 to fix this issue?

Best Regards

and we said...

For such issues, you *always* want to speak to Support and get an official position because security is obviously a make-or-break position for any enterprise.

But in *my* reading of https://www.oracle.com/security-alerts/cpujul2015.html , I don't see any reference to CVE-2012-1675, so I'd be surprised if that patch has resolved the issue.

I'll also add .... you're no more than a month or two away from being on a totally desupported version... so moving to 19c sounds like a much better option to me

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database