Oracle Password Hash in Audit Logs
The alter user command was not filtered properly. As a result of this problem the password hash was written into the the audit trail of Oracle (Core) Auditing
and Oracle Database Vault Audit Trail.
Sample (without database vault):
SQL> alter user alter_test identified by values 'D768C717761F43BB' replace alter_test;
SQL> select sql_text from sys.aud$ where lower(sql_text) like '%alter user%':
alter user alter_test identified by values 'D768C717761F43BB' replace ********;
Sample (with database vault):
SQL> conn / as sysdba
SQL> create user alexK identified by values '05E29458F5CE92C7';
create user alexk identified by values '05E29458F5CE92C7'
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> conn DVSYS/DVSYS123
SQL> select username,action_command from dvsys.audit_trail$ where action_command
SYS create user alexKs identified by values '05E29458F5CE92C7'
Apply the patches for Oracle CPU Jul 2009.
20-aug-2008 Bug reported
15-jul-2009 Oracle published CPU January 2009
27-jul-2009 Advisory published
© 2009 by Red-Database-Security GmbH - last update 27-jul-2009