Birthday Attack (Sweet 32) – Resolve TLS Vulnerabilities in your Oracle Database

By | In Oracle | May 16th, 2018

If your security team is being proactive with their monitoring, you may see audit findings on vulnerabilities regarding TLS and TSLv1.  In our case, we had a problem with port 6200.  The first step was to check the Oracle Critical Security Warnings, and there I read that Grid Infrastructure does not ship with SSL Support, and therefore should not be susceptible to Poodle attacks.  Our problem turned out to be SWEET32: Birthday attacks against TLS ciphers with 64bit block size, and the solution to that is to disable TSL and Tslv1.  Changing the port isn’t a solution, you will just see a different port on your audit report next time. I found a configuration file and tools to start and stop the services but I didn’t know if they were being used.  After some digging, I found the answer on Oracle Support.

I applied patch 23282973 (FMW-ONS: ONS FAILS TO START NO MATTER WHAT STRING SET FOR SSLCIPHERS) and then modified the ons.config file. Finally, I tested open ssl.

See Oracle Support for more info: How To: Disable TLS1.0 and TLS1.1 for ONS Server Process (Doc ID 2303219.1)


PREREQ session

OPatch succeeded.

Completed on both nodes of cluster.

PREREQ session

(do not use the previous -unlock command…I learned the hard way).

Validate node comes up.

Shutdown with crsctl stop crs

Start cluster.  Repeat on Additional Nodes.

Test open ssl.  If any of the following connect.  You’re in trouble 🙂

More info on the Sweet 32 Birthday Attack:

Datavail Script: Terms & Conditions

By using this software script (“Script”), you are agreeing to the following terms and condition, as a legally enforceable contract, with Datavail Corporation (“Datavail”). If you do not agree with these terms, do not download or otherwise use the Script. You (which includes any entity whom you represent or for whom you use the Script) and Datavail agree as follows:

  1. CONSIDERATION. As you are aware, you did not pay a fee to Datavail for the license to the Script. Consequently, your consideration for use of the Script is your agreement to these terms, including the various waivers, releases and limitations of your rights and Datavail’s liabilities, as setforth herein.
  2. LICENSE. Subject to the terms herein, the Script is provided to you as a non-exclusive, revocable license to use internally and not to transfer, sub-license, copy, or create derivative works from the Script, not to use the Script in a service bureau and not to disclose the Script to any third parties. No title or other ownership of the Script (or intellectual property rights therein) is assigned to you.
  3. USE AT YOUR OWN RISK; DISCLAIMER OF WARRANTIES. You agree that your use of the Script and any impacts on your software, databases, systems, networks or other property or services are solely and exclusively at your own risk. Datavail does not make any warranties, and hereby expressly disclaims any and all warranties, implied or express, including without limitation, the following: (1) performance of or results from the Script, (2) compatibility with any other software or hardware, (3) non-infringement or violation of third party’s intellectual property or other property rights, (4) fitness for a particular purpose, or (5) merchantability.

You hereby release Datavail from any claims, causes of action, losses, damages, costs and expenses resulting from your downloading or other use of the Script.

  1. AGREEMENT. These terms and conditions constitute your complete and exclusive legal agreement between you and Datavail.
Contact Us
Chad Cleveland
Senior Oracle DBA
Chad Cleveland is an exciting and energetic individual with 15 years of experience in IT, including 9 years as an Oracle Database Administrator. He enjoys working with his customers to streamline and remediate Database Infrastructure in areas such as hardware migrations, Cluster (RAC) and database upgrades, and extensive monitoring solutions with Oracle Enterprise Manager.

Leave a Reply

Your email address will not be published.
Required fields are marked (*).