Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Oracle 11g/10g Installation Vulnerability

Oracle 11g/10g Installation Vulnerability

From: David Litchfield <david_at_databasesecurity.com>
Date: Tue, 13 Nov 2007 19:52:58 -0000
Message-ID: <592B48B3DE2F41C0B504B02A995798BA@regulus> 





Hey all,


After investigating 11g the other day I came across an interesting issue.
During the installation of Oracle 11g and 10g all accounts, including the
SYS and SYSTEM accounts, have their default passwords and only at the end of
the install are the passwords changed. This means that there is a window of
opportunity for an attacker to log into the database server during the
install process. Depending upon "which" install options you choose
determines the size of the window. Full details for those that are
interested can be found here:


http://www.davidlitchfield.com/blog/archives/00000030.htm - since I reported
this to Oracle on the 3rd of November they've updated their security
checklist document:


http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_
db_database_20071108.pdf 


Cheers,


David Litchfield


--
http://www.freelists.org/webpage/oracle-l


Received on Tue Nov 13 2007 - 13:52:58 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US