Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Security risk with catsnmp catalog

Security risk with catsnmp catalog

From: Gilles PARC <gparc_at_online.fr>
Date: Sun, 11 Aug 2002 14:33:17 -0800
Message-ID: <F001.004B1890.20020811143317@fatcity.com> 





Hi Listers,



There is a security risk with catsnmp catalog
(<ORACLE_HOME>/rdbms/admin/catsnmp.sql) 
which is shipped with Oracle releases.


This is generic.
 


 Details :


 this file drop and recreate user dbsnmp with default password 
 "dbsnmp" and give him different privileges.
 For 8i releases, it is mostly V_$ views privileges
 But for 9i releases, it will grant "SELECT ANY DICTIONARY" 
 privilege (this one give access to any sys objects like link$ if 
 you see what i mean...).
 


 One can argue that the security policy of the site  should ensure that
default password    must be changed. 


 But even in this case, I'm sure that over the time many databases will
reverse


 to the default  password because catproc.sql (which execute automatically
catsnmp) is required  when applying patchsets and sometimes individual
patches. 
 


I opened a TAR  and the support analyst referred me to bug #2432163 
which is visible (i thought  naively that all security problems were kept out
from prying eyes...) 



As a patch will probably take some time, i asked Oracle to place an alert
accordingly .



In the meantime, if you don't use OEM, i strongly suggest that you
1- execute <ORACLE_HOME>/rdbms/admin/catnsnmp.sql to remove this stuff
2- remove <ORACLE_HOME>/bin/dbsnmp which is by default setuid root


     (at least if you have followed install procedures and run root.sh)



Unbreakable...or autobreakable ;-)



Regards



Gilles Parc



carpe diem !!


-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Gilles PARC


  INET: gparc_at_online.fr


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Sun Aug 11 2002 - 17:33:17 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US