How to manage the Oracle ALLOWED_LOGON_VERSION=12 flag in Database Vulnerability Manager

Technical Articles ID: KB79566
Last Modified: 2023-09-07 04:58:15 Etc/GMT

Environment

Vulnerability Manager for Databases (DVM) 4.x

Oracle Database

Problem 1

This issue is relevant for scanning Oracle 12c with DVM, but might affect different Oracle versions as explained further in this article.

DVM uses Oracle driver version 10g to provide full support for Oracle 8i to 11g. Oracle provides backward support for two versions before any given driver. For example, the Oracle 10g driver supports Oracle 8i to 11g, but the Oracle 11g driver supports only Oracle 9i to 12c.

If you want to use the ALLOWED_LOGON_VERSION=12 flag, replace the Oracle driver used by DVM with the version supplied with Oracle 11g (that is, ojdbc6.jar). If you update the driver to version 11g, it means that DVM can't connect to Oracle 8i. It can connect only to Oracle 9i and later.

IMPORTANT: Oracle driver replacement is supported only in DVM 4.4.4 and later. Earlier versions of DVM do not support Oracle driver replacement.

You can see an indication of this issue when you set up an Oracle DVM instance, and you see the following authentication error during setup:

ORA-28040: No matching authentication protocol

Problem 2

Because of an Oracle authentication vulnerability (CVE-2012-3137), Oracle recommends that you use ALLOWED_LOGON_VERSION=12 as mitigation. See MyOracle Support note 1492721.1 for details.

If you set this parameter, older Oracle drivers can no longer connect to the latest versions, 11.2.0.x and 12.x, of Oracle.

NOTE: In Oracle 12c, the ALLOWED_LOGON_VERSION=12 flag is set by default.

Solution

Implement only one of the following two possible options:

Set the ALLOWED_LOGON_VERSION parameter to a value of 10 or lower.
Replace the Oracle 10g JDBC driver with an Oracle 11g or later JDBC driver (see below).

To replace the Oracle driver used by DVM (ePO version):

Download the Oracle 11g JDBC driver file, ojdbc6.jar, from the Oracle Database Technologies page. If you're connecting to Oracle 12.1.0.2 or later, instead download the Oracle 12cR2 JDBC driver file, ojdbc8.jar, from the Oracle Downloads page.
Click Start, Run, type explorer, and then click OK.
Navigate to <ePO_installation_dir>\Server\extensions\installed\dbsecdvm\<version>\webapp\WEB-INF\lib\.
Copy the new JDBC file, ojdbc6.jar or ojdbc8.jar, into this folder. For example: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions\installed\dbsecdvm\<version>\webapp\WEB-INF\lib\.
Click Start, Run, type services.msc, and click OK.
Right-click the ePolicy Orchestrator Application Server service, and click Stop.
Rename the ojdbc14.jar file to ojdbc14.jar.old in <ePO_installation_dir>\Server\extensions\installed\dbsecdvm\<version>\webapp\WEB-INF\lib\.
Right-click the ePolicy Orchestrator Application Server service, and then click Start.

To replace the Oracle driver used by DVM (standalone version):

NOTE: The following procedure affects the import from the TNS file feature and it might not be available after the change.

Download the Oracle 11g JDBC driver file, ojdbc6.jar, from the Oracle Database Technologies page.
If you're connecting to Oracle 12.1.0.2 or later, instead download the Oracle 12cR2 JDBC driver file, ojdbc8.jar, from the Oracle Downloads page.
Click Start, Run, type explorer, and then click OK.
Navigate to <server_installation_dir>\webapps\ROOT\WEB-INF\lib\
Copy the new JDBC driver file, ojdbc6.jar or ojdbc8.jar, into this folder. For example: C:\Program Files (x86)\McAfee\McAfee Database Security\webapps\ROOT\WEB-INF\lib.
Click Start > Run, type services.msc, and then click OK.
Right-click the Database Security Server service, and then click Stop.
Rename the ojdbc14.jar file to ojdbc14.jar.old in <server_installation_dir>\webapps\ROOT\WEB-INF\lib\.
Right-click the Database Security Server service, and then click Start.

IMPORTANT: In Oracle 12.1.0.2, Oracle introduced a new 12a password verifier. If the ALLOWED_LOGON_VERSION flag is set to 12a, the Oracle 11g driver not might connect to the database. In this scenario, you must upgrade to the Oracle 12c JDBC driver and also upgrade the Server JVM to Java 8 or upgrade Database Security Server to version 4.6.4 or later.

Related Information

For information about configuring Oracle as a back-end database with the ALLOWED_LOGON_VERSION=12 flag, see KB83314 - How to configure Oracle as a back-end database with the ALLOWED_LOGON_VERSION=12 flag.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to manage the Oracle ALLOWED_LOGON_VERSION=12 flag in Database Vulnerability Manager

Environment

Problem 1

Problem 2

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

How to manage the Oracle ALLOWED_LOGON_VERSION=12 flag in Database Vulnerability Manager

Environment

Problem 1

Problem 2

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title