Select Page

Birthday Attack (Sweet 32) – Resolve TLS Vulnerabilities in your Oracle Database

Author: Chad Cleveland | 6 min read | May 16, 2018

If your security team is being proactive with their monitoring, you may see audit findings on vulnerabilities regarding TLS and TSLv1.  In our case, we had a problem with port 6200.

The first step was to check the Oracle Critical Security Warnings, and there I read that Grid Infrastructure does not ship with SSL Support, and therefore should not be susceptible to Poodle attacks.  Our problem turned out to be SWEET32: Birthday attacks against TLS ciphers with 64bit block size, and the solution to that is to disable TSL and Tslv1.  Changing the port isn’t a solution, you will just see a different port on your audit report next time. I found a configuration file and tools to start and stop the services but I didn’t know if they were being used.  After some digging, I found the answer on Oracle Support.

I applied patch 23282973 (FMW-ONS: ONS FAILS TO START NO MATTER WHAT STRING SET FOR SSLCIPHERS) and then modified the ons.config file. Finally, I tested open ssl.

See Oracle Support for more info: How To: Disable TLS1.0 and TLS1.1 for ONS Server Process (Doc ID 2303219.1)

Details:

/orcl_sw/software/oneoffpatch/linux/opn_SSL/23282973


$ cd 23282973/
$ ls
etc  files  README.txt
$opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 12.2.0.1.6
Copyright (c) 2018, Oracle Corporation.  All rights reserved.

PREREQ session

Oracle Home       : /u01/app/grid/12.2.0.1
Central Inventory : /u01/app/oraInventory
from           : /u01/app/grid/12.2.0.1/oraInst.loc
OPatch version    : 12.2.0.1.6
OUI version       : 12.2.0.1.4
Log file location : /u01/app/grid/12.2.0.1/cfgtoollogs/opatch/opatch2018-03-28_11-05-33AM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.

OPatch succeeded.

Completed on both nodes of cluster.

/u01/app/grid/12.2.0.1/opmn/conf
$ cd 3
$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 12.2.0.1.6
Copyright (c) 2018, Oracle Corporation.  All rights reserved.

PREREQ session

Oracle Home       : /u01/app/grid/12.2.0.1
Central Inventory : /u01/app/oraInventory
from           : /u01/app/grid/12.2.0.1/oraInst.loc
OPatch version    : 12.2.0.1.6
OUI version       : 12.2.0.1.4
Log file location : /u01/app/grid/12.2.0.1/cfgtoollogs/opatch/opatch2018-03-28_11-10-14AM_1.log


Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
$
Patch node1:  

As Root: /u01/app/grid/12.2.0.1/crs/install/rootcrs.sh -prepatch

(NEW COMMAND IN 12.2,  Do not use rootcrs.pl -unlock, i learned the hard way)

As Grid: 

cd /orcl_sw/software/oneoffpatch/linux/opn_SSL/23282973
$ORACLE_HOME/OPatch/opatch apply /orcl_sw/software/oneoffpatch/linux/opn_SSL/23282973 -oh $ORACLE_HOME -local 

/u01/app/grid/12.2.0.1/crs/install/rootcrs.sh -postpatch

(do not use the previous -unlock command…I learned the hard way).

Validate node comes up.

Shutdown with crsctl stop crs

CD
/u01/app/grid/12.2.0.1/opmn/conf

cp ons.config  ons.config.bak.MMDDYYYY

modify ons.config to add these lines:

sslversions=TLSv1.2
sslciphers=SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA

Start cluster.  Repeat on Additional Nodes.

$ lsof -i :6200
COMMAND   PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
ons     16380 grid    8u  IPv6 792269064      0t0  TCP *:lm-x (LISTEN)
ons     16380 grid   14u  IPv6 792399448      0t0  TCP dvailrac01:lm-x-> dvailrac01:42893 (ESTABLISHED)
$ ps -ef | grep 16380
grid      7916  4118  0 12:58 pts/3    00:00:00 grep 16380
grid     16380 16379  0 12:52 ?        00:00:00 /u01/app/grid/12.2.0.1/opmn/bin/ons -d
$

Test open ssl.  If any of the following connect.  You’re in trouble 🙂

openssl s_client -connect dvailrac01:6200 -cipher "DES:3DES" -ssl2
openssl s_client -connect dvailrac01:6200 -cipher "DES:3DES" -ssl3
openssl s_client -connect dvailrac01:6200 -cipher "DES:3DES" -tls1
openssl s_client -connect dvailrac01:6200 -cipher "DES:3DES" -tls1_1
openssl s_client -connect dvailrac01:6200 -cipher "DES:3DES" -tls1_2

More info on the Sweet 32 Birthday Attack: https://access.redhat.com/articles/2548661

Datavail Script: Terms & Conditions

By using this software script (“Script”), you are agreeing to the following terms and condition, as a legally enforceable contract, with Datavail Corporation (“Datavail”). If you do not agree with these terms, do not download or otherwise use the Script. You (which includes any entity whom you represent or for whom you use the Script) and Datavail agree as follows:

  1. CONSIDERATION. As you are aware, you did not pay a fee to Datavail for the license to the Script. Consequently, your consideration for use of the Script is your agreement to these terms, including the various waivers, releases and limitations of your rights and Datavail’s liabilities, as setforth herein.
  2. LICENSE. Subject to the terms herein, the Script is provided to you as a non-exclusive, revocable license to use internally and not to transfer, sub-license, copy, or create derivative works from the Script, not to use the Script in a service bureau and not to disclose the Script to any third parties. No title or other ownership of the Script (or intellectual property rights therein) is assigned to you.
  3. USE AT YOUR OWN RISK; DISCLAIMER OF WARRANTIES. You agree that your use of the Script and any impacts on your software, databases, systems, networks or other property or services are solely and exclusively at your own risk. Datavail does not make any warranties, and hereby expressly disclaims any and all warranties, implied or express, including without limitation, the following: (1) performance of or results from the Script, (2) compatibility with any other software or hardware, (3) non-infringement or violation of third party’s intellectual property or other property rights, (4) fitness for a particular purpose, or (5) merchantability.
  4. LIMITATION ON LIABILITY; RELEASE. DATAVAIL SHALL HAVE NO, AND YOU WAIVE ANY, LIABILITY OR DAMAGES UNDER THIS AGREEMENT.

    5. You hereby release Datavail from any claims, causes of action, losses, damages, costs and expenses resulting from your downloading or other use of the Script.

  5. AGREEMENT. These terms and conditions constitute your complete and exclusive legal agreement between you and Datavail.

Blog Author

Chad Cleveland

Senior Oracle DBA

Chad Cleveland is an exciting and energetic individual with 15 years of experience in IT, including 9 years as an Oracle Database Administrator. He enjoys working with his customers to streamline and remediate Database Infrastructure in areas such as hardware migrations, Cluster (RAC) and database upgrades, and extensive monitoring solutions with Oracle Enterprise Manager.

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.