12c EM: How to patch a Enterprise Base Platform Agent to protect it against vulnerability CVE-2012-3137?
Last updated on SEPTEMBER 01, 2017
Applies to:Enterprise Manager for Oracle Database - Version 184.108.40.206.0 to 220.127.116.11.0 [Release 12.1]
Enterprise Manager Base Platform - Version 18.104.22.168.0 to 22.214.171.124.0 [Release 12.1]
Information in this document applies to any platform.
12C Agent is monitoring a database (EM Repository or target database) that is using SHA-1 based password verifier. Latest CPU (or PSU) patch has been applied on the database. Database has SHA-1 based password verifier enabled (SQLNET.ALLOWED_LOGON_VERSION=12 is set in sqlnet.ora file.
When a 12c Agent is monitoring a 11g target Database, whose sqlnet.ora file has the SQLNET.ALLOWED_LOGON_VERSION=12 parameter set, the Database is marked as Down in the Console.
- The Agent fails to connect to the Database with the below errors:
ORA-01017: invalid username/password; logon denied OR ORA-28040: No matching authentication protocol
- These errors can be seen in the <AGENT_INST>/sysman/log/emagent_perl.trc or in the Console UI when you drill down into the Availability history of the Database.
The error is also reported when the REsponse metric of the Database is evaluated manually, for example:
cd <AGENT_HOME>/bin ./emctl getmetric agent orcl_12,oracle_database,Response Oracle Enterprise Manager Cloud Control 12c Release 3 Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved. Status,State,oraerr,Archiver,DatabaseStatus,ActiveState 0,UNKNOWN,Failed to connect: java.sql.SQLException: ORA-01017: invalid username/password; logon denied ,UNKNOWN,UNKNOWN,UNKNOWN
Similar errors will occur for the 'Management Services and Repository' target as well, if the SQLNET.ALLOWED_LOGON_VERSION=12 parameter is set in the Repository database's sqlnet.ora file.
According to the details in <Note 1493990.1> : Patching for CVE-2012-3137, the Agent (which is the client in this case) needs to be patched, so that it can connect to this Database.
This document provides the patch details for the agent.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms