Home » RDBMS Server » Security » Preventing VERSION request to TNS Listener
Preventing VERSION request to TNS Listener [message #247908] Wed, 27 June 2007 08:37 Go to next message
criller
Messages: 2
Registered: June 2007
Location: UK
Junior Member
Hello,

Our company has just had a security review done for it's Oracle servers. One item that was flagged was being able to run a VERSION request against the TNS Listener. The VERSION command can give an attacker version numbers of the installed Oracle software that can then be used to discover and exploit vulnerabilities.

How can we protect against this for our internal network? The audit company suggested server-resident firewalls but I'm not sure about this. What do other people do?

Thanks

PJ
Re: Preventing VERSION request to TNS Listener [message #247917 is a reply to message #247908] Wed, 27 June 2007 09:07 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Before 10g, you can't.
In 10g, only user in dba group or knowing the listener password can do it (of course you have a password on your listener).

Regards
Michel
Re: Preventing VERSION request to TNS Listener [message #247930 is a reply to message #247908] Wed, 27 June 2007 09:57 Go to previous messageGo to next message
criller
Messages: 2
Registered: June 2007
Location: UK
Junior Member
Michel,

Thanks for your quick reply.

We did have a listener password but this stopped our 3rd party monitoring tools working.

Cheers

PJ
Re: Preventing VERSION request to TNS Listener [message #247946 is a reply to message #247930] Wed, 27 June 2007 10:57 Go to previous message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
If you don't have a password to talk with your listener, you don't have a protection against anyone sending a valid command.

[edit: incomprehensible and meaningless sentence, I have to sleep]

Regards
Michel

[Updated on: Wed, 27 June 2007 10:59]

Report message to a moderator

Previous Topic: critical patch update
Next Topic: see users logging in
Goto Forum:
  


Current Time: Thu Mar 28 07:35:47 CDT 2024