| VID |
25004 |
| Severity |
40 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
When an Oracle database is created, accounts are created in the database for administrative and operational purposes. The default passwords for these accounts are widely known, so it is a substantial security risk to leave the default passwords in place. Accounts with default passwords may exist, depending on the version of Oracle and the options installed.
* Note: This check by default checks for the following account ID and password combinations:
po/po,pubsub/pubsub,sample/sample,event/event,finance/finance,mfg/mfg,
modtest/yes,vrr1/vrr1,company/company,mdsys/mdsys,scott/tiger,
dbsnmp/dbsnmp,demo/demo,demo8/demo8,po8/po8,rman/rman,tracesrv/trace,
applsys/applsys,ctxdemo/ctxdemo,names/names,sysadm/sysadm,
ordplugins/ordplugins,outln/outln,adams/wood,blake/paper,jones/steel,
clark/cloth,apps/apps,aurora$orb$unauthenticated/invalid
* References:
http://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
http://www.vulnerabilityassessment.co.uk/default_oracle_passwords.htm |
| Recommendation |
Change the user's password to be something other than the default password immediately.
To change the password of a user, you have to log in the Oracle server with the user name using 'sqlplus' command, and execute the command to change password is like this:
alter user "dbsnmp" identified by "secretpwd";
The command as above change the password for user "dbsnmp" as "secretpwd". |
| Related URL |
CVE-2002-0965 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
