Hi, There is a security risk with catsnmp catalog (in $ORACLE_HOME/rdbms/admin) which is shipped with 8i/9i releases. -- Details : this file drop and recreate user dbsnmp with default password "dbsnmp" and give him some database privileges. For 8i releases, these privileges are mostly grants on V_$ views For 9i releases, this user is granted with "SELECT ANY DICTIONARY" privilege which is a powerful one (can see any sys objects like link$ which stores unencrypted passwords) -- One can argue that the security policy of the site should ensure that default passwords must be changed.. But even in this case, I'm sure that over the time many databases will reverse to the default password because catproc.sql (which execute automatically catsnmp) is required by Oracle when applying patchsets and sometimes individual patches. _ I asked Oracle one week ago to place an alert on that matter and was referred by support analyst to bug #2432163 which is publically visible in their Metalink site. (i thought naively that all security problems were kept out from prying eyes...)
They refused to escalate this bug to severity 1 because there is a workaround (disabling this user). BUT most oracle dbas don't know about this risky behavior in their back !! That's why i revert to buqtraq to place this alert. Regards -- Carpe Diem !!
