在2012年10月,Oracle公司发布一个安全漏洞补丁包,修复的漏洞影响到数据库帐号密码的安全,其名称为CVE-2012-3137。它的具体信息是Oracle 10g和11g数据库中使用SHA-1加密算法帐号口令在知道SID和数据库服务器IP的情况下可以被破解,这使得它成了一个重大安全隐患,因此迫切需要修复。
在oracle 11g中,帐号口令默认采用SHA-1加密算法。如果采用DES加密算法,则不受影响。而10g的帐号口令的默认算法就是DES。
这个漏洞虽然很严重,但只影响到使用SHA-1加密算法的Oracle数据库,所以只需修复受到影响的系统。如果数据库端安装了此补丁包,那么所有的数据库客户端和JDBC客户端(包括WebLogic Server, Fusion Middleware, Enterprise Manager等等)都需要同时安装此补丁包,否则连不上。
受影响的数据库版本有11.2.0.3,11.2.0.2,11.1.0.7,有使用了SHA-1加密算法的10.2.0.5和10.2.0.4,还有使用了SHA-1的10.2.0.3(运行在z/OS下)版本。
如果你的版本收到了影响,可以选择安装补丁,也可以选择不使用SHA-1加密算法来避开这个漏洞。
虽然这个漏洞在11.2.0.3中已经解决,但是仅仅数据库客户端和服务器都升级到11.2.0.3并且sqlnet.ora文件中增加SQLNET.ALLOWED_LOGON_VERSION=12才有效。
在Oracle服务器上安装10月发布的补丁包可以修复这个漏洞,因此此补丁包被高度推荐。
附:
Patching Implications for CVE-2012-3137 and CVE-2012-3151
Patches have been released as part of the October 2012 CPU program to include fixes to protect against vulnerability CVE-2012-3137 and CVE-2012-3151.
CVE-2012-3137
This vulnerability affects database user accounts using SHA-1-based password verifiers for authentication. SHA-1-based password verifiers are also referred to as “11G” password versions. Database user accounts using a DES-based password verifier for authentication are unaffected. DES-based password verifiers are also referred to as “10G” password versions.
For most deployments, patching is only necessary for affected database servers for systems to be protected and to continue to function.
For a limited number of deployments, all Database clients and JDBC clients (including WebLogic Server, Fusion Middleware, Enterprise Manager, etc.) must be patched along with the Database Server; otherwise the un-patched clients will fail to connect to a patched server.
Before installing patches that address CVE-2012-3137, customers must review carefully My Oracle Support Note 1493990.1 , Patching for CVE-2012-3137 .
CVE-2012-3151
CVE-2012-3151 vulnerability affects Database servers and client-only installations for versions 11.2.0.3, 11.2.0.2, 11.1.0.7, 10.2.0.5 and 10.2.0.4. It does not affect Instant Client installations for any version.
Customers are recommended to apply the applicable patches to their systems to address vulnerability CVE-2012-3151.