CVE-2004-1367

Description

Oracle 10g Database Server, when installed with a password that contains an exclamation point ("!") for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password.

Affected products

• oracle / application_server9.0.4.1 – 9.0.4.1
• oracle / application_server9.0.2 – 9.0.2
• oracle / application_server9.0.2.0.0 – 9.0.2.0.0
• oracle / application_server
• oracle / application_server9.0.2.0.1 – 9.0.2.0.1
• oracle / application_server9.0.2.1 – 9.0.2.1
• oracle / application_server9.0.2.2 – 9.0.2.2
• oracle / application_server9.0.2.3 – 9.0.2.3
• oracle / application_server9.0.3 – 9.0.3
• oracle / application_server9.0.3.1 – 9.0.3.1
• oracle / application_server9.0.4 – 9.0.4
• oracle / application_server9.0.4.0 – 9.0.4.0
• oracle / collaboration_suiterelease_1 – release_1
• oracle / e-business_suite11.5.3 – 11.5.3
• oracle / e-business_suite11.5.9 – 11.5.9
• oracle / e-business_suite11.5.1 – 11.5.1
• oracle / e-business_suite11.5.2 – 11.5.2
• oracle / e-business_suite11.5.4 – 11.5.4
• oracle / e-business_suite11.5.5 – 11.5.5
• oracle / e-business_suite11.5.6 – 11.5.6
• oracle / e-business_suite11.5.7 – 11.5.7
• oracle / e-business_suite11.5.8 – 11.5.8
• oracle / enterprise_manager9 – 9
• oracle / enterprise_manager9.0.1 – 9.0.1
• oracle / enterprise_manager_database_control10.1.2 – 10.1.2
• oracle / enterprise_manager_grid_control10.1.0.2 – 10.1.0.2
• oracle / oracle10genterprise_9.0.4_.0 – enterprise_9.0.4_.0
• oracle / oracle10genterprise_10.1.0.2 – enterprise_10.1.0.2
• oracle / oracle10gpersonal_9.0.4_.0 – personal_9.0.4_.0
• oracle / oracle10gpersonal_10.1_.0.2 – personal_10.1_.0.2
• oracle / oracle10gstandard_9.0.4_.0 – standard_9.0.4_.0
• oracle / oracle10gstandard_10.1_.0.2 – standard_10.1_.0.2
• oracle / oracle8ienterprise_8.0.6_.0.0 – enterprise_8.0.6_.0.0
• oracle / oracle8ienterprise_8.0.5_.0.0 – enterprise_8.0.5_.0.0
• oracle / oracle8ienterprise_8.0.6_.0.1 – enterprise_8.0.6_.0.1
• oracle / oracle8ienterprise_8.1.5_.0.0 – enterprise_8.1.5_.0.0
• oracle / oracle8ienterprise_8.1.5_.0.2 – enterprise_8.1.5_.0.2
• oracle / oracle8ienterprise_8.1.5_.1.0 – enterprise_8.1.5_.1.0
• oracle / oracle8ienterprise_8.1.6_.0.0 – enterprise_8.1.6_.0.0
• oracle / oracle8ienterprise_8.1.6_.1.0 – enterprise_8.1.6_.1.0
• oracle / oracle8ienterprise_8.1.7_.0.0 – enterprise_8.1.7_.0.0
• oracle / oracle8ienterprise_8.1.7_.1.0 – enterprise_8.1.7_.1.0
• oracle / oracle8ienterprise_8.1.7_.4 – enterprise_8.1.7_.4
• oracle / oracle8istandard_8.0.6 – standard_8.0.6
• oracle / oracle8istandard_8.0.6_.3 – standard_8.0.6_.3
• oracle / oracle8istandard_8.1.5 – standard_8.1.5
• oracle / oracle8istandard_8.1.6 – standard_8.1.6
• oracle / oracle8istandard_8.1.7 – standard_8.1.7
• oracle / oracle8istandard_8.1.7_.0.0 – standard_8.1.7_.0.0
• oracle / oracle8istandard_8.1.7_.1 – standard_8.1.7_.1
• oracle / oracle8istandard_8.1.7_.4 – standard_8.1.7_.4
• oracle / oracle9iclient_9.2.0.1 – client_9.2.0.1
• oracle / oracle9iclient_9.2.0.2 – client_9.2.0.2
• oracle / oracle9ienterprise_8.1.7 – enterprise_8.1.7
• oracle / oracle9ienterprise_9.0.1 – enterprise_9.0.1
• oracle / oracle9ienterprise_9.0.1.4 – enterprise_9.0.1.4
• oracle / oracle9ienterprise_9.0.1.5 – enterprise_9.0.1.5
• oracle / oracle9ienterprise_9.2.0 – enterprise_9.2.0
• oracle / oracle9ienterprise_9.2.0.1 – enterprise_9.2.0.1
• oracle / oracle9ienterprise_9.2.0.2 – enterprise_9.2.0.2
• oracle / oracle9ienterprise_9.2.0.3 – enterprise_9.2.0.3
• oracle / oracle9ienterprise_9.2.0.4 – enterprise_9.2.0.4
• oracle / oracle9ienterprise_9.2.0.5 – enterprise_9.2.0.5
• oracle / oracle9ipersonal_8.1.7 – personal_8.1.7
• oracle / oracle9ipersonal_9.0.1 – personal_9.0.1
• oracle / oracle9ipersonal_9.0.1.4 – personal_9.0.1.4
• oracle / oracle9ipersonal_9.0.1.5 – personal_9.0.1.5
• oracle / oracle9ipersonal_9.2 – personal_9.2
• oracle / oracle9ipersonal_9.2.0.1 – personal_9.2.0.1
• oracle / oracle9ipersonal_9.2.0.2 – personal_9.2.0.2
• oracle / oracle9ipersonal_9.2.0.3 – personal_9.2.0.3
• oracle / oracle9ipersonal_9.2.0.4 – personal_9.2.0.4
• oracle / oracle9ipersonal_9.2.0.5 – personal_9.2.0.5
• oracle / oracle9istandard_8.1.7 – standard_8.1.7
• oracle / oracle9istandard_9.0 – standard_9.0
• oracle / oracle9istandard_9.0.1 – standard_9.0.1
• oracle / oracle9istandard_9.0.1.2 – standard_9.0.1.2
• oracle / oracle9istandard_9.0.1.3 – standard_9.0.1.3
• oracle / oracle9istandard_9.0.1.4 – standard_9.0.1.4
• oracle / oracle9istandard_9.0.1.5 – standard_9.0.1.5
• oracle / oracle9istandard_9.0.2 – standard_9.0.2
• oracle / oracle9istandard_9.2 – standard_9.2
• oracle / oracle9istandard_9.2.0.1 – standard_9.2.0.1
• oracle / oracle9istandard_9.2.0.2 – standard_9.2.0.2
• oracle / oracle9istandard_9.2.0.3 – standard_9.2.0.3
• oracle / oracle9istandard_9.2.0.4 – standard_9.2.0.4
• oracle / oracle9istandard_9.2.0.5 – standard_9.2.0.5

References

• MAILING_LISThttp://marc.info/?l=bugtraq&m=110382247308064&w=2
• MISChttp://www.kb.cert.org/vuls/id/316206
• MISChttp://www.us-cert.gov/cas/techalerts/TA04-245A.html
• VENDOR_ADVISORYhttp://www.ngssoftware.com/advisories/oracle23122004D.txt
• VENDOR_ADVISORYhttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1