Oracle makes SSL use in database clusters free
The recent exposure of a vulnerability in current Oracle databases has made Oracle issue a new advisory and offer SSL support to particular customers for free – the vulnerability allows an attacker to listen in on database queries and has no appropriate patches. An Oracle blog post provides the background to why the company has issued the new advisory, Oracle Security Alert for CVE-2012-1675 directs customers to two support notes, one for customers without Oracle Real Application Clusters and one for those with Oracle RAC.
For those without RAC, Oracle recommends limiting registration of new listeners to the local node and IPC protocols; instructions are provided in the Oracle Support note "Using Class of Secure Transport (COST) to Restrict Instance Registration". For those with RAC or Exadata, the problem is slightly more complex and the use of COST in those situations also means the use of SSL/TLS Encryption as detailed in "Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC". The issue was that SSL/TLS encryption has been sold at extra cost as Oracle Advanced Security. But now Oracle has updated its licensing so that customers can use the SSL/TLS mechanisms to protect themselves against the vulnerability.
With the change in licensing and the availability of an effective workaround, it is unlikely that Oracle will be producing a patch for its databases in the near future. Oracle is, however, emphatic that users should fix the problem, adding at the end of the security alert: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible". The advisory says the problem affects Oracle Database 11gR2 18.104.22.168 and 22.214.171.124, 11gR1 126.96.36.199, and 10g 10.2.0.3, 10.2.0.4 and 10.2.0.5. Users of Oracle Fusion Middleware, Enterprise Manager or E-Business Suite should also take note of the issue as these products include the vulnerable Oracle Database software.