Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Security Alert

Security Alert

From: Terry Ball <>
Date: Thu, 21 Dec 2000 09:03:57 -0600
Message-Id: <>

We recieved this and thought I'd pass it on to thoses who might need to know.

 On Dec 20, 2000 the Vulnerability Service   research team identified a vulnerability affecting a technology   for which you have enabled vulnerability alerts. The details of   the vulnerability follow:

  Oracle Enterprise Manager backup and restore credential   vulnerabilities

  Oracle Enterprise Manager is vulnerable to a flaw that may allow   an attacker to gain access to databases. First, a temporary file   is created that contains SYSDBA authentication information.   Second, a TCL script is created that can contain credential   information when a job is submitted to the Manager Agent that   contains credentials or recovery catalog. Third, credentials are   also revealed when the backup process occurs and can be observed   with a process listing. Note OEM 2.2 is only vulnerable to the   last issue.

  Attackers can gain sensitive information which may lead to   further access.

  Affected Technologies:
  Oracle Enterprise Manager 2.0.4, 2.1, 2.2   Oracle 8.1.5, 8.1.6,

  Recommended Fix:
  Upgrade to the latest version of OEM available from the   vendor:

  Version 2.2:




  To unsubscribe to our free alert service; please click on the following

  About is dedicated to providing proactive security   services via the internet, in an Application Service Provider   model.

  Online Services- Our suite of online services has been   engineered around the proactive management on risks associated   with vulnerabilities, system configurations and viruses-the   leading causes of unauthorized users gaining access to systems   and networks via the internet.

  Managed Services- Our portfolio of managed services lets us   focus on your core business and minimize IT costs by outsourcing   vital security functions to In turn, our   team of experts will do what we know best: protect your assets   and reduce technology risk.

  To learn more about the services provided by, please visit our web site or call us at   1-877-eSecurity.

  Copyright 2000 All rights reserved.

  No part of the content or information included in this alert may   be reproduced, re-transmitted or otherwise redistributed in any   form or by any means, electronic or mechanical, including by   photocopying, facsimile transmission, recording, re-keying, or   using any information storage and retrieval system, without the   prior written permission of The content or   information included in this alert is proprietary and   confidential to ('Confidential   Information'). By accessing this information, you agree to keep   Confidential Information confidential and to not use   Confidential Information for any purpose not authorized by your   written agreement with

  This alert is maintained by for the benefit   of subscribers to its On-line Vulnerability Service. Your access   to and use of the information contained in this alert, are   subject to the terms and conditions of your written subscription   agreement with Nothing in this alert should   be construed as granting or conferring any license to use the Received on Thu Dec 21 2000 - 09:03:57 CST

Original text of this message