Services
Information
Company |
Oracle Password Hash in Audit Logs
Details The alter user command was not filtered properly. As a result of this problem the password hash was written into the the audit trail of Oracle (Core) Auditing and Oracle Database Vault Audit Trail. Sample (without database vault): SQL> alter user alter_test identified by values 'D768C717761F43BB' replace alter_test; SQL> select sql_text from sys.aud$ where lower(sql_text) like '%alter user%': alter user alter_test identified by values 'D768C717761F43BB' replace ********; Sample (with database vault): SQL> conn / as sysdba SQL> create user alexK identified by values '05E29458F5CE92C7'; create user alexk identified by values '05E29458F5CE92C7' * ERROR at line 1: ORA-01031: insufficient privileges SQL> conn DVSYS/DVSYS123 SQL> select username,action_command from dvsys.audit_trail$ where action_command like '%create%'; SYS create user alexKs identified by values '05E29458F5CE92C7' Patch Information Apply the patches for Oracle CPU Jul 2009. History 20-aug-2008 Bug reported 15-jul-2009 Oracle published CPU January 2009 27-jul-2009 Advisory published © 2009 by Red-Database-Security GmbH - last update 27-jul-2009 |