In other words Oracle Corp. has failed to develop configuration tools for RAC installations that result in a cluster setup that is impervious to the TNS listener poison attack by Joxean Koret (CVE-2012-1675).
Quote from above Ask Tom post (comments in brackets are mine):
"On 12.1 RAC databases, the parameter VALID_NODE_CHECKING_REGISTRATION_listener_name for both local and scan listeners is set by default to SUBNET/2 i.e. all machines in the subnet are allowed registration. This is done in order to allow registration to the local listeners and scan listeners from the instances on the other nodes of the RAC.
However, sometimes [Sometimes? No! Always!] this allows other instances in the same subnet [which may include an entire unsegmented company network or hundresds of Windows desktop systems in the same subnet as the database server] to register against these listeners. We want to prevent that [otherwise CVE-2012-1675 applies] and allow only local instances to that RAC database to be regsitered with these listeners."
It gets worse than this. After a fresh installation of Grid Infrastructure (GI) for RAC on a two node Linux cluster with 184.108.40.206 the following totally unsafe settings were made in listener.ora by GI:
$ grep -i registration $ORACLE_HOME/network/admin/listener.ora
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=OFF # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_LISTENER=SUBNET # line added by Agent
VALID_NODE_CHECKING_REGISTRATION_MGMTLSNR=SUBNET # line added by Agent
Consistent with Oracle's other often inadequate documentation the manuals "Oracle® Grid Infrastructure Installation and Upgrade Guide 12c Release 2 (12.2) for Linux E49640-10 May 2017" and "Oracle® Database Security Guide 12c Release 1 (12.1) E48135-15 September 2016" fail to mention the command srvctl modify scan_listener -update -invitednodes <list of safe cluster node names> to restrict service registration.
The manual "Oracle® Clusterware Administration and Deployment Guide 12c Release 1 (12.1) E48819-08 January 2015" does mention the new switch -invited_nodes but states the nonsense below such that DBAs reading the section quoted below will think that no changes are required. Quote: "You can configure the listeners to accept service registrations from a different subnet. For example, you might want to configure this environment when SCAN listeners share with instances on different clusters, and nodes in those clusters are on a different subnet. Run the srvctl modfiy scan_listener -invitednodes -invitedsubnets command to include the nodes in this environment."
There simply are no interactions between SCAN listeners of different clusters. The paragraph makes no sense.
Conclusion: Oracle once again has failed to properly handle a security issue.