Vulnerability Scanning at Port 6200
Vulnerability scanner reports a weakness at port 6200 of the RAC server.
Vulnerability Insight
The TLSv1.0 and TLSv1.1 protocols contain known cryptographic flaws like:
- CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST)
- CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded Legacy Encryption (FREAK)
In summary, vulnerability scanner thinks TLSv1.0 and TLSv1.1 protocols are potential weakness and we should disable them at port 6200 for safety.
Theoretically, such flaws CVE-2011-3389 and CVE-2015-0204 should have been fixed by Oracle in 2015. The affected products are 12.1 and earlier releases. A sophisticated release like 19c should have no such problem.
However, we found TLSv1.1 with AES256-SHA is still available at port 6200. That's the one we have to conquer.
Who is Using Port 6200?
After investigating which process is listening to the specific port, we found that Oracle Notification Service (ONS) is listening to port 6200.
Reversely, to know which ports are used by ONS, you may issue the following command by grid to make sure.
[grid@primary01 grid]$ srvctl config ons
ONS exists: Local port 6100, remote port 6200, EM port 2016, Uses SSL true
ONS is enabled
ONS is individually enabled on nodes:
ONS is individually disabled on nodes:
Please use the following command to print more information of ONS.
Or verbosely:
Disable TLSv1.0 and TLSv1.1
To deny TLSv1.0 and TLSv1.1 for clients to connect ONS Service at port 6200, we take the following steps to turn them off.
Backup ons.config
The main file that we should configure is $ORACLE_HOME/opmn/conf/ons.config in grid infrastructure.
By design, user grid is the owner of ONS, so we login to the operating system by grid and then make a copy.
[grid@primary01 grid]$ cd $ORACLE_HOME/opmn/conf
[grid@primary01 conf]$ pwd
/u01/app/19.0.0/grid/opmn/conf
[grid@primary01 conf]$ cp -p ons.config ons.config-`date +%Y%m%d`-backup
Edit ons.config
We append two lines to the file.
[grid@primary01 conf]$ vi ons.config
...
sslversions=TLSv1.2
sslciphers=SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA
Where we allow only TLSv1.2 and support 2 cipher suits, i.e. AES256-SHA256 and AES256-SHA.
Restart ONS
We combine srvctl stop ons and srvctl start ons in one command line to restart ONS without execution gap like this.
[grid@primary01 conf]$ srvctl stop ons; srvctl start ons; srvctl status ons
ONS ons is enabled.
ONS ons is running.
Meanwhile, the cluster make a copy to ons.config.<hostname_in_short>.
Please note that, command onsctl reload has no use to refresh the service in our test.
Test Connection
Here we use openssl to connect the port locally.
TLSv1.2
We test TLSv1.2 without specifying any cipher suite.
[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1_2
We got the server certificate as we expected.
TLSv1
We test TLSv1 without specifying any cipher suite.
[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1677026814
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
It failed to pass the test.
TLSv1.1
We test TLSv1.1 without specifying any cipher suite.
[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1_1
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1677026620
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
It failed to pass the test.
TLSv1.2 with Unsupported Cipher
We specify some weak cipher suite, say 3DES, to work with TLSv1.2 and see whether it can pass the test or not.
[grid@primary01 conf]$ openssl s_client -connect localhost:6200 -tls1_2 -cipher 3DES
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1677026855
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Since 3DES is not supported, the failure is expected.
Sometimes, you are required to completely close the port to stop any chances to access the server, you may disable ONS for good.