A critical vulnerability in Oracle’s Transparent Network Substrate (TNS) protocol that allows unauthenticated attackers to access sensitive system memory contents, including environment variables and connection data.
Oracle assigned CVE-2025-30733 to this vulnerability and released patches on April 15, 2025. The vulnerability affects Oracle Database Server versions 19.3-19.26, 21.3-21.17, and 23.4-23.7, carrying a CVSS 3.1 Base Score of 6.5.
Despite the default Oracle configuration limiting external access since version 10g, researchers identified approximately 40 exposed servers worldwide, primarily running Windows systems on the default listener port 1521.
.png
)
Oracle TNS Listener Memory Leak
Driftnet researchers uncovered the vulnerability while developing protocol analyzers for internet intelligence gathering.
The team sends version requests to Oracle TNS listeners using the command (DESCRIPTION=(CONNECT_DATA=(COMMAND=version))), similar to Oracle’s own lsnrctl (Listener Control Utility).
While analyzing a TCPS (TNS over SSL/TLS) configured listener, researchers observed unexpected data being returned after the standard banner information.
The leaked data appears as uninitialized memory reads, varying in amount of sensitive information depending on the recent server memory usage.
Example leaked data includes Windows environment variables such as USERDOMAIN=WORKGROUP, USERNAME=FIDRSRV$, and Path=C:ORACLE19.3.0DATABASEbin;C:ORACLE19.3.0CLIENTbin.
The leaked information typically shows prefixes like “sdp” or “wss”, likely related to Session Description Protocol (SDP) and Web Services Security (WSS) features.
The vulnerability’s remote accessibility depends on the LOCAL_OS_AUTHENTICATION configuration setting. When set to OFF, the listener becomes accessible beyond local connections, making the memory leak exploitable by external attackers.
Oracle’s default configuration since version 10g provides protection, but minor configuration changes can expose systems to this vulnerability.
The memory leak occurs specifically when interacting with TCPS listeners, where the Oracle Database server fails to properly zero memory before responding to connection requests.
This results in potentially sensitive system information being transmitted to unauthenticated remote users over the internet.
The vulnerability represents a classic information disclosure issue where uninitialized memory contents are inadvertently exposed through network communications.
| Risk Factors | Details |
| Affected Products | Oracle Database Server RDBMS Listener (versions 19.3–19.26, 21.3–21.17, 23.4–23.7) |
| Impact | Unauthorized access to critical system memory contents |
| Exploit Prerequisites | 1. Network access to TNS listener 2.Non-default configuration (LOCAL_OS_AUTHENTICATION=OFF)3. User interaction required |
| CVSS 3.1 Score | 6.5 (Medium) |
Mitigations
Oracle demonstrated a quick response timeline to this security issue. Database administrators should immediately apply Oracle’s April 2025 Critical Patch Update to remediate this vulnerability.
Additionally, organizations should ensure the LOCAL_OS_AUTHENTICATION parameter is properly configured and minimize their external attack surface by avoiding unnecessary exposure of Oracle TNS services to the public internet.
The discovery highlights the ongoing security challenges in legacy network protocols, as Oracle’s lsnrctl was released approximately thirty years ago.
Security experts recommend that organizations actively manage and minimize their external attack surfaces, emphasizing that the most effective protection is simply not exposing database services to the public internet in the first place.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
