This is the nameplate on the vault door, not the combination
Tenable plugin 110053 fires when an Oracle TNS listener on TCP 1521 answers an unauthenticated VERSION/VSNNUM request and reveals its listener build. The plugin itself does not tie the finding to a specific vulnerable Oracle release, and Oracle documentation shows VERSION is a built-in listener control behavior with no prerequisite password. Practically, any Oracle listener reachable by the scanner and willing to answer that request can trigger this, across many Oracle Database generations and both Linux and Windows listener deployments.
The vendor's MEDIUM label is too generous for enterprise patch scheduling. The finding is unauthenticated and remote, but the impact is only low-grade reconnaissance: it helps attackers fingerprint the stack and choose follow-on tooling, yet it does not itself expose credentials, data, or code execution. In real environments the decisive factor is exposure, not patch level: if the listener is not reachable from untrusted networks, the risk collapses fast.
3 steps from start to impact.
Find a reachable listener
1521, using nmap service discovery or broad port scanning. This is basic exposure mapping, not exploitation. Reference tool: nmap -sV.- Oracle TNS listener is network reachable
- Firewall permits access to the listener port from the attacker's location
- Most enterprises do not intentionally expose database listeners to the internet
- Segmentation, VPN-only access, and private subnets usually break this step
1521/tcp as risky.Pull the listener version
VERSION request and decodes the returned VSNNUM value into an Oracle listener version. This can be done with Nmap's oracle-tns-version NSE script or older enumeration tools like tnscmd. Oracle's own LSNRCTL reference documents that the VERSION command has no prerequisite and no password requirement before invocation.- Listener responds to unauthenticated version queries
- No network ACL or listener restriction blocks the source IP
- Some listeners are reachable only from app tiers or DBA subnets
- Load balancers, IPS, or nonstandard listener behavior can suppress or distort the response
110053 detects this remotely but only with paranoid reporting enabled; Nmap confirms it directly.Use the result for follow-on targeting
tnscmd into SID discovery and authentication attacks.- Attacker has a second bug, weak credentials, or another Oracle misconfiguration to chain
- Target remains reachable for further probing or login attempts
- This step assumes another weakness exists; the version leak alone is not enough
- MFA, PAM controls, EDR on the DB host, account lockout, and segmentation stop the actual compromise path
The supporting signals.
| In-the-wild status | No evidence this specific version-disclosure issue is being exploited as a standalone intrusion vector. It is not a known hands-on-keyboard impact bug; it is reconnaissance. |
|---|---|
| KEV status | Not KEV-listed. No associated CVE entry appears in CISA's Known Exploited Vulnerabilities Catalog. |
| Proof-of-concept availability | Publicly trivial. Nmap ships oracle-tns-version specifically to decode VSNNUM, and older Oracle enumeration tooling such as tnscmd is widely referenced in offensive guides. |
| EPSS | N/A — there is no CVE mapped by Tenable, so there is no FIRST EPSS record to score. |
| CVSS baseline | Tenable's NASL sets CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N = 5.3 MEDIUM. That is mathematically valid for *confidentiality-only* disclosure, but operationally overstates patch urgency. |
| Affected versions | Broadly any Oracle listener that answers unauthenticated VERSION/VSNNUM requests. The plugin does not narrow this to a vulnerable release train; it keys off listener behavior, not a patched/unpatched code branch. |
| Fixed version | No vendor patch or fixed release is cited by Tenable or Oracle for this behavior. This is handled as exposure reduction and listener access restriction, not version remediation. |
| Exposure reality | The real risk only exists where 1521/tcp is reachable from untrusted networks. UK government guidance explicitly warns that internet-exposed Oracle DB listeners create direct attack opportunities, and separate 2024 reporting on a different TNS bug found only about 40 exposed systems in one scan sample — a reminder that public exposure exists, but is not internet-scale compared with web middleware. |
| Scanner coverage | Tenable marks this as a remote, potential vulnerability and requires Settings/ParanoidReport; the plugin publication date is 2018-05-23 and last update is 2022-04-11. Nmap provides independent confirmation. |
| Reporter / source of record | Primary record is the Tenable plugin page and the mirrored NASL logic on Vulners. Oracle documentation confirms the underlying listener behavior. |
noisgate verdict.
The single biggest downshift is that this finding is pure reconnaissance: it leaks only listener version metadata and requires a second weakness to matter. The reachable population is also much narrower than web-tier bugs because Oracle listeners should sit on private app/DB networks, so the enterprise blast radius is mainly whatever you intentionally exposed.
Why this verdict
- Vendor baseline starts at 5.3, but the impact is only C:L — no integrity, no availability, no execution, no auth bypass.
- Attacker position is unauthenticated remote, but only if the listener is reachable — for most enterprises that implies a misexposed DB service, not broad external reachability.
- This step implies a second-stage dependency — the disclosure only helps choose later exploits or login paths; by itself it does not advance to code execution or data access.
Why not higher?
Because the chain stops at fingerprinting. There is no direct path here to execute code, dump data, or alter the database, and modern defenses that keep DB listeners off untrusted networks erase most of the practical risk. Even when externally reachable, this is still an intelligence leak, not a takeover bug.
Why not lower?
It is still remotely accessible information disclosure, and exact Oracle versioning does reduce attacker uncertainty during targeting. If you have internet-exposed listeners or flat internal networks, this finding does provide usable recon value and should not be dismissed as noise.
What to do — in priority order.
- Restrict listener reachability — Put Oracle listener ports behind firewall allow-lists, private subnets, or VPN-only paths. For a LOW verdict there is no hard SLA, so treat this as backlog hygiene, but close any unnecessary exposure before the next firewall review cycle.
- Validate Oracle net ACLs — Use Oracle network controls such as listener registration restrictions and valid-node style controls where supported, alongside network ACLs. This reduces who can even talk to the listener; for LOW, schedule as backlog hygiene rather than emergency change work.
- Watch for listener enumeration — Add lightweight detections for repeated probes to
1521/tcp, especially from non-app subnets, scanning ranges, or internet ingress points. This will not prevent the response, but it gives you signal when someone is mapping Oracle estate. - Inventory exposed Oracle listeners — Treat the real problem as exposure management: identify every host with an Oracle listener reachable beyond its intended app tier. For LOW, no emergency SLA applies, but this belongs in normal attack-surface reduction work.
- Just patching the database home — this finding is not tied to a documented fixed version, so patching alone may not remove the behavior.
- EDR on the database host — it may catch later exploitation, but it does little to stop a simple unauthenticated version probe.
- Credential rotation — no credentials are needed for the disclosure step.
Crowdsourced verification payload.
Run this from an auditor workstation or scanner node that has network reachability to the Oracle listener. Invoke it as python3 check_tns_vsnnum.py 10.20.30.40 1521; it needs no privileges beyond the ability to run nmap and connect to the target port. The script reports VULNERABLE if Nmap can retrieve the listener version, PATCHED if the listener does not disclose it, and UNKNOWN if prerequisites are missing.
#!/usr/bin/env python3
# check_tns_vsnnum.py
# Detects whether an Oracle TNS listener discloses VSNNUM/version unauthenticated
# by invoking Nmap's oracle-tns-version NSE script.
# Exit codes:
# 0 = PATCHED / not disclosing
# 1 = VULNERABLE / disclosing
# 2 = UNKNOWN / dependency or runtime issue
import shutil
import subprocess
import sys
def main():
if len(sys.argv) not in (2, 3):
print("UNKNOWN - usage: python3 check_tns_vsnnum.py <host> [port]", file=sys.stderr)
sys.exit(2)
host = sys.argv[1]
port = sys.argv[2] if len(sys.argv) == 3 else "1521"
if shutil.which("nmap") is None:
print("UNKNOWN - nmap is not installed or not in PATH")
sys.exit(2)
cmd = [
"nmap",
"-Pn",
"-n",
"-p", str(port),
"--script", "oracle-tns-version",
host,
]
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=90)
except subprocess.TimeoutExpired:
print("UNKNOWN - nmap timed out")
sys.exit(2)
except Exception as exc:
print(f"UNKNOWN - failed to run nmap: {exc}")
sys.exit(2)
output = (proc.stdout or "") + "\n" + (proc.stderr or "")
low = output.lower()
# Positive indicators from the NSE script / service detection output.
indicators = [
"oracle-tns-version",
"vsnnum",
"tnslsnr for",
"tns listener",
]
if any(i in low for i in indicators):
print("VULNERABLE - listener version information was disclosed unauthenticated")
sys.exit(1)
if "0 hosts up" in low or "host seems down" in low:
print("UNKNOWN - host unreachable from this scanner location")
sys.exit(2)
if "closed" in low or "filtered" in low:
print("PATCHED - port not reachable or listener not exposed from this location")
sys.exit(0)
print("PATCHED - no unauthenticated listener version disclosure detected")
sys.exit(0)
if __name__ == "__main__":
main()
If you remember one thing.
1521/tcp exposure, and document the downgrade from vendor MEDIUM to noisgate LOW. For this severity there is no noisgate mitigation SLA and noisgate remediation SLA beyond backlog hygiene, so there is no emergency patch motion here; focus on access restriction and keep patch windows for issues with direct compromise impact.Sources
- Tenable plugin 110053
- Vulners mirror of Tenable NASL
- Oracle Net Services Reference - LSNRCTL VERSION command
- Oracle listener administration guide
- Nmap oracle-tns-version NSE documentation
- UK Government guidance on open port 1521
- CISA Known Exploited Vulnerabilities Catalog
- SC Media reporting on exposed Oracle TNS systems
What defenders are saying.
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.