Oracle Security Alert for CVE-2012-1675 “TNS Listener Poison Attack”

Oracle Critical Patch Updates (CPU)

The Oracle database server has a separate network connection process
that usually operates on TCP port 1521. The database registers as a
listener with this process and the process forwards the client requests
on to the actual database system that handles the requested
database instance. Since version 8i, these network connection
processes can register additional listeners. Such a listener can
even be registered for an existing database instance. The active listener
interprets this as a new Oracle Real Application Clusters (RAC) node and uses
the new listener to implement load balancing. In other words: every second
database connection will be routed via the new listener.

This security hole is particularly serious “because it allows remote
and unauthenticated attackers to redirect the database’s network
traffic on the database server to an arbitrary server and then
intercept it. All they need to know is the Oracle SID
or Oracle service name.”

Affected Products and Versions:

Oracle Database 11g Release 2, versions,
Oracle Database 11g Release 1, version
Oracle Database 10g Release 2, versions,,

Immediate solution for non-cluster envernment:

dynamic_registration_<listener> = off

For Example:

Step 1
LSNRCTL> show dynamic_registration


LISTENER parameter “dynamic_registration” set to ON

The command completed successfully

Step 2

(ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521))

(ORACLE_HOME = /u01/app/oracle/product/
(PROGRAM = extproc)
(global_dbname = ORCL.hostname)
(ORACLE_HOME = /u01/app/oracle/product/
(sid_name = hostname)

ADR_BASE_LISTENER = /u01/app/oracle




The attack is on the Listener itself – so if we want to prevent this attack,
we need to secure that Listener, irrespective of its location.

Note: Mandatory if we expose our Listener to an unsecured or public network (e.g. internet).

As for Listeners running on our internal network –
Internal network already needs to be compromised in order for the attack to occur.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.