Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

CVE-2012-1675: Listener vulnerability question

Pablo EscaleraJan 13 2020 — edited Jan 13 2020

Good morning,

We have found out a vulnerability through listener with some programs like nmap. As you can see bellow, running it we can see listener port and database version, which could be a big problem for our customer:

.\nmap.exe -p0- -v -A -T4 WIN-9H8TGULUPL1

1521/tcp open oracle-tns Oracle TNS listener 1.3.0.0.0 (unauthorized)

(only show 1, not 19, but it could be enough to have an attack)

.\nmap.exe -p0- -v -A -T4 vmNGF2

1521/tcp open oracle-tns Oracle TNS listener 12.2.0.1.0 (unauthorized)

.\nmap.exe -p0- -v -A -T4 vmNGF2

1523/tcp open oracle-tns Oracle TNS listener 12.2.0.1.0 (unauthorized)

We have checked this error since 10g version to 19c.

How we could restrict that information? I have already tested updating listener port, but we have same problem. Furthermore, we have update VALID_NODE_CHECKING_REGISTRATION_<listener_name> = ON but problem still happens.

If it helps, we're following OWASP 4 testing guide.

Thanks in advance.

Best regards

Added on Jan 13 2020

#database-security, #database-security-general

7 comments

7,591 views