Oracle 11g/10g Installation Vulnerability

• From: "David Litchfield" <david@xxxxxxxxxxxxxxxxxxxx>
• To: "'Oracle-L Freelists'" <oracle-l@xxxxxxxxxxxxx>
• Date: Tue, 13 Nov 2007 19:52:58 -0000

Hey all,
After investigating 11g the other day I came across an interesting issue.
During the installation of Oracle 11g and 10g all accounts, including the
SYS and SYSTEM accounts, have their default passwords and only at the end of
the install are the passwords changed. This means that there is a window of
opportunity for an attacker to log into the database server during the
install process. Depending upon "which" install options you choose
determines the size of the window. Full details for those that are
interested can be found here:
http://www.davidlitchfield.com/blog/archives/00000030.htm - since I reported
this to Oracle on the 3rd of November they've updated their security
checklist document:
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_
db_database_20071108.pdf 
Cheers,
David Litchfield

--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Oracle 11g/10g Installation Vulnerability
    • From: Don Seiler
  • 10g client/database installation
    • From: Maureen English

• References:
  • Data Guard Physical standby 9i archive log registration
    • From: Ranko Mosic
  • Re: Data Guard Physical standby 9i archive log registration
    • From: Alex Gorbachev
  • Re: Data Guard Physical standby 9i archive log registration
    • From: goran bogdanovic
  • Re: Data Guard Physical standby 9i archive log registration
    • From: Alex Gorbachev
  • Re: Data Guard Physical standby 9i archive log registration
    • From: Ranko Mosic

Other related posts:

• » Oracle 11g/10g Installation Vulnerability
• » Re: Oracle 11g/10g Installation Vulnerability
• » RE: Oracle 11g/10g Installation Vulnerability

1. Home
2. oracle-l
3. Archive
4. 11-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---