Security researchers at Driftnet have discovered a critical information disclosure vulnerability in Oracle’s Transparent Network Substrate (TNS) protocol that allows unauthenticated remote attackers to access potentially sensitive system memory contents.
Oracle assigned CVE-2025-30733 to the vulnerability and released a patch on April 15, 2025.
The flaw can expose environment variables and other sensitive data stored in uninitialized memory to attackers over the internet, though exploitation requires specific non-default Oracle database configurations.
The vulnerability was uncovered during Driftnet’s routine internet intelligence gathering when researchers were developing protocol analyzers to identify Oracle database versions.
The security flaw specifically affects Oracle Database servers configured with TCPS listeners, which handle secure connections.
When researchers sent standard version requests using the command (DESCRIPTION=(CONNECT_DATA=(COMMAND=version))) to TCPS-enabled servers, they observed unexpected additional data being returned after the normal banner information.
The leaked data appears to be reads from unzeroed memory sections, containing varying amounts of sensitive information depending on recent server memory usage.
In documented cases, the exposed data included Windows environment variables such as user profiles, system paths, Oracle installation directories, and computer names.
The leaked information was typically prefixed by “sdp” or “wss,” likely related to the listener’s Session Description Protocol and Web Services Security features.
This memory disclosure represents a significant security risk as it can reveal internal system configurations and potentially sensitive operational data to unauthorized users.
Exposure and Impact Assessment
Despite Oracle’s default security configurations limiting unauthenticated external access since version 10g, Driftnet identified approximately 40 servers worldwide exhibiting this memory leak vulnerability.
The exposure depends critically on the LOCAL_OS_AUTHENTICATION configuration setting—when set to OFF, the listener becomes accessible beyond local connections, creating the vulnerability window.
The affected servers show a global distribution across various Oracle database versions, primarily using the default listener port 1521 and running predominantly on Windows systems.
The researchers found that while the default Oracle configuration provides protection, only minor configuration changes are needed to make the vulnerability remotely exploitable.
This limited exposure suggests that many organizations may have inadvertently weakened their security posture through seemingly innocuous configuration modifications.
The vulnerability affects multiple Oracle database versions, indicating a widespread potential impact across different installations and environments.
Oracle’s Response and Timeline
Oracle demonstrated a prompt and professional response to the vulnerability disclosure, following responsible disclosure practices throughout the process.
The timeline began when Driftnet reported the issue on February 28, 2025, with Oracle quickly acknowledging receipt.
By March 25, Oracle confirmed the vulnerability and committed to fixing it in a future patch release.
Three days later, Oracle provided a specific timeline, promising the patch would be available on April 15, 2025, and indicated no objection to public disclosure after that date.
Oracle delivered the fix exactly as promised on April 15, 2025. The company assigned a CVSS v3.1 Base Score of 6.5 to the vulnerability, reflecting the moderate severity primarily due to the requirement for non-default configurations.
Driftnet waited an additional month before publishing their findings to allow organizations time to apply the necessary patches.
This coordinated disclosure approach exemplifies best practices in cybersecurity research and vendor cooperation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.){kind=link}