Oracle Database Server SYSMAN password plaintext

oracle-sysman-password-plaintext (18661) The risk level is classified as MediumMedium Risk

Description:

Oracle10g Database Server could allow a local attacker to obtain sensitive information. If an error occurs during installation, passwords for certain accounts, such as SYSMAN, are stored in world-readable files. A local attacker could retrieve these files to obtain passwords.

Platforms Affected:

  • Oracle, Database Server 10.1.0.2

Remedy:

Apply the appropriate patch for your system, available from the Oracle Security Alert #68. See References.

Consequences:

Obtain Information

References:

  • NGSSoftware Insight Security Research Advisory #NISR2122004D, Oracle 10g clear text passwords at http://www.ngssoftware.com/advisories/oracle23122004D.txt.
  • Oracle Security Alert #68, This security alert addresses security vulnerabilities in Oracle¿s server products. at http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf.
  • BID-10871: Oracle Multiple Unspecified Vulnerabilities
  • CVE-2004-1366: Oracle 10g Database Server stores the password for the SYSMAN account in cleartext in the world-readable emoms.properties file, which could allow local users to gain DBA privileges.
  • CVE-2004-1367: Oracle 10g Database Server, when installed with a password that contains an exclamation point (!) for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password.
  • US-CERT VU#316206: Oracle Database Server contains several vulnerabilities

Reported:

Dec 25, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page