Oracle vulnerability grants ‘free’ use of Advanced Security Option with Real Application Clusters

by Paul Bullen, Senior License Consultant

Oracle has released its latest security alert (here-30 April 2012), regarding “TNS Listener Poison Attack”.  This affects 10gR2 and above.  Interestingly, if you are using RAC on and above, the workaround for this vulnerability requires use of Oracle Advanced Security (ASO), in particular SSL (Secure Sockets Layer) and TLS (Transport Layer Security) to ensure secure registration of listeners between instances.  Oracle has therefore granted the use of SSL/TLS as part of the Oracle Real Application Clusters license.

Oracle has currently provided workarounds (My Oracle Support log in required) for and above.  All these versions are affected and require implementation of ASO to resolve.

We’d be interested to hear how you find implementing this workaround and your thoughts on the license change this makes for you.

In short, if you have Oracle RAC (on Enterprise or Standard Edition), RAC One Node and are running and above, Oracle is now granting you the use of the extra-cost Advanced Security Option (specifically SSL/TLS) as well.  It remains to be seen whether Oracle will rescind this entitlement in later releases or if a non-ASO solution is provided. The workaround for non-RAC instances uses IPC and does not require SSL/TLS – therefore the right to use ASO does not extend to non-RAC instances.

Useful external links:
Oracle announcement
Oracle blog post
Pdf download; Overview of exposure
Configuring SSL/TLS in 11.2
Dark Reading analysis

Rocela is not responsible for the content on non Rocela websites.


2 Responses to Oracle vulnerability grants ‘free’ use of Advanced Security Option with Real Application Clusters

  1. CD says:

    Assuming licensing for Enterprise DB and RAC, does that mean that one can also use all the features of OAS as highlighted below? How do you separate out the SSL/TLS features from the rest of OAS?

    Oracle Advanced Security includes the following features:
    Transparent Data Encryption (TDE) for columns
    Transparent Data Encryption (TDE) for tablespace
    Transparent Data Encryption (TDE) for SecureFiles
    DataPump Export File encryption
    RMAN backup encryption
    Hardware Security Module (HSM) TDE Master Key Protection
    Database strong authentication support (PKI, Kerberos, Radius)
    Smartcard support (PKCS#11)
    Transport Layer Security (TLS) Support
    Native network encryption
    SSL/TLS network encryption
    SSL acceleration
    Certificate Revocation List (CRL) support


    • Paul Bullen says:

      The entitlement given is clear: it is Advanced Security SSL/TLS only, and reading the workaround, it is understandable why they are granting only this. As to differentiation from the other ASO components, I think this should be quite easy as the majority are encryption of objects (in some form or another) rather than encryption of the transport layer. Setting up SSL/TLS is quite a specific configuration operation on the database server which can be identified quite easily, the others generally would be identified from the database itself from data dictionary views. Of course, I’m speaking broadly here: let me know if you have any specific concerns or queries for any of the other components.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: