Oracle Corporation has just released the following security alert:
Vulnerability in the Oracle Listener Program
Oracle listener program releases 7.3.4, 8.0.6 and 8.1.6
All platforms except Open VMS.
A security vulnerability in the listener program of the Oracle Enterprise Server has been
discovered. Using this vulnerability, a knowledgeable and malicious attacker can potentially
gain a higher level of access to the Oracle owner account and Oracle databases and introduce
malicious code into various operating systems.
The commands SET LOG_FILE and SET TRC_FILE allow the log and trace files, respectively, to
which the listener program writes, to be modified dynamically while the listener program is
running. The listener program can be configured to append and/or overwrite logging and tracing
information to any operating system file that can be written by the Oracle owner, such as an
alert file or a database file, and thereby corrupt an Oracle database and potentially
introduce malicious code into the operating system.
You must apply the patch as soon as it is available for your platform. However, an
interim workaround until the patch is available for your platform is to password
protect the listener. Once the listener has been password
protected the SET LOG_FILE and SET TRACE_FILE commands in lsnrctl will not
work without a password.
For instructions on how to password protect the listener see the following:
<Note:92602.1> How to password protect your listener
In addition to setting the listener password you should also set up your
permissions to limit who can has access to the listener.ora file and the
The generic bug filed against the Oracle listener program is 1361722.
The patch for this exploit allows a database administrator to restrict run-time administration
of the Oracle listener program. A new parameter, ADMIN_RESTRICTIONS_LISTENER, has been
introduced into listener.ora, the control file for the Oracle listener program. Setting
ADMIN_RESTRICTIONS_LISTENER=ON prevents the vulnerability from being exploited by disabling
the run-time modification of parameters in listener.ora. That is, the listener program will
refuse to accept SET commands that alter its parameters and attempting to issue a SET command
will result in the generation of an error message. Thus, to change any one of the parameters
in listener.ora, including ADMIN_RESTRICTIONS_LISTENER itself, this file needs to be edited
manually and its parameters need to be reloaded manually (e.g., LSNRCTL RELOAD) for the new
changes to take effect without explicitly stopping and restarting the listener program.
Operating system access to the protected Oracle account owner directories and files is
required to edit listener.ora. Note that the Oracle account owner directories and files must
be protected in the operating system by setting the access control permissions on them as
recommended by Oracle Corporation in its user manuals.
ADMIN_RESTRICTIONS_LISTENER=OFF is the default value when the listener program is installed in
order to maintain current customer environments and backward compatibility. There is no change
in the run-time behavior of the listener program or in syntax of the SET commands in this mode
Oracle Corporation recommends establishing the listener program password in this mode of
Patches are available in MetaLink. Login to MetaLink at [url]http://metalink.oracle.com.[/url] Choose
the Patches button and select SQL*Net from the drop-down product list.
The patches are also avialable for download fromthe Oracle FTP server.
FTP Server Patch Locations
Intel Based Server LINUX
Sun SPARC Solaris