CVE-2004-1367
CVSS4.4
发布时间 :2004-08-04 00:00:00
修订时间 :2016-10-17 22:53:35
NMO    

[原文]Oracle 10g Database Server, when installed with a password that contains an exclamation point ("!") for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password.


[CNNVD]CNNVD数据暂缺。


[机译]Oracle 10g数据库服务器,安装时的密码包含一个感叹号(“!”)(1)的DBSNMP或(2)SYSMAN用户,会产生一个错误,记录的的世界可读postDBCreation.log文件的密码,

- CVSS (基础分值)

CVSS分值: 4.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-200 [信息暴露]

- CPE (受影响的平台与产品)

cpe:/a:oracle:oracle10g:standard_10.1_.0.2
cpe:/a:oracle:oracle9i:client_9.2.0.1
cpe:/a:oracle:oracle9i:standard_9.0
cpe:/a:oracle:oracle9i:client_9.2.0.2
cpe:/a:oracle:oracle9i:standard_8.1.7
cpe:/a:oracle:oracle9i:standard_9.2
cpe:/a:oracle:oracle9i:standard_9.2.0.2
cpe:/a:oracle:oracle9i:standard_9.2.0.1
cpe:/a:oracle:oracle9i:standard_9.2.0.4
cpe:/a:oracle:oracle9i:standard_9.2.0.3
cpe:/a:oracle:oracle8i:enterprise_8.1.7_.0.0
cpe:/a:oracle:oracle8i:standard_8.0.6_.3
cpe:/a:oracle:oracle10g:standard_9.0.4_.0
cpe:/a:oracle:oracle9i:standard_9.2.0.5
cpe:/a:oracle:application_serverOracle Application Server
cpe:/a:oracle:enterprise_manager:9.0.1Oracle Enterprise Manager 9.0.1
cpe:/a:oracle:enterprise_manager_grid_control:10.1.0.2Oracle Enterprise Manager Grid Control 10g 10.1.0.2
cpe:/a:oracle:oracle8i:enterprise_8.0.6_.0.1
cpe:/a:oracle:oracle9i:enterprise_9.0.1
cpe:/a:oracle:oracle9i:enterprise_9.2.0
cpe:/a:oracle:application_server:9.0.4Oracle Oracle10g Application Server 9.0.4
cpe:/a:oracle:application_server:9.0.3Oracle Oracle9i Application Server 9.0.3
cpe:/a:oracle:application_server:9.0.3.1Oracle Application Server 10g 9.0.3.1
cpe:/a:oracle:oracle8i:standard_8.0.6
cpe:/a:oracle:oracle8i:enterprise_8.0.5_.0.0
cpe:/a:oracle:application_server:9.0.2.0.1Oracle Oracle9i Application Server 9.0.2.0.1
cpe:/a:oracle:application_server:9.0.2.0.0Oracle Oracle9i Application Server 9.0.2.0.0
cpe:/a:oracle:oracle10g:enterprise_9.0.4_.0
cpe:/a:oracle:oracle9i:standard_9.0.1.3
cpe:/a:oracle:oracle9i:standard_9.0.1.2
cpe:/a:oracle:oracle9i:standard_9.0.1.5
cpe:/a:oracle:oracle9i:standard_9.0.1.4
cpe:/a:oracle:e-business_suite:11.5.4Oracle E-Business Suite 11i 11.5.4
cpe:/a:oracle:e-business_suite:11.5.6Oracle E-Business Suite 11i 11.5.6
cpe:/a:oracle:oracle9i:personal_9.0.1
cpe:/a:oracle:e-business_suite:11.5.3Oracle E-Business Suite 11i 11.5.3
cpe:/a:oracle:collaboration_suite:release_1
cpe:/a:oracle:oracle10g:personal_9.0.4_.0
cpe:/a:oracle:oracle8i:enterprise_8.1.5_.0.2
cpe:/a:oracle:oracle8i:standard_8.1.7_.0.0
cpe:/a:oracle:oracle9i:personal_8.1.7
cpe:/a:oracle:oracle8i:enterprise_8.1.6_.1.0
cpe:/a:oracle:oracle9i:personal_9.2.0.4
cpe:/a:oracle:oracle9i:personal_9.2.0.5
cpe:/a:oracle:oracle9i:personal_9.2.0.2
cpe:/a:oracle:oracle8i:enterprise_8.1.5_.0.0
cpe:/a:oracle:oracle9i:personal_9.2.0.3
cpe:/a:oracle:e-business_suite:11.5.1Oracle E-Business Suite 11i 11.5.1
cpe:/a:oracle:oracle9i:enterprise_9.0.1.4
cpe:/a:oracle:oracle9i:enterprise_9.0.1.5
cpe:/a:oracle:oracle9i:enterprise_8.1.7
cpe:/a:oracle:e-business_suite:11.5.5Oracle E-Business Suite 11i 11.5.5
cpe:/a:oracle:e-business_suite:11.5.2Oracle E-Business Suite 11i 11.5.2
cpe:/a:oracle:e-business_suite:11.5.9Oracle E-Business Suite 11i 11.5.9
cpe:/a:oracle:oracle8i:enterprise_8.1.7_.1.0
cpe:/a:oracle:enterprise_manager_database_control:10.1.2Oracle Enterprise Manager Database Control 10g 10.1.2
cpe:/a:oracle:e-business_suite:11.5.8Oracle E-Business Suite 11i 11.5.8
cpe:/a:oracle:oracle8i:enterprise_8.1.7_.4
cpe:/a:oracle:e-business_suite:11.5.7Oracle E-Business Suite 11i 11.5.7
cpe:/a:oracle:oracle8i:standard_8.1.7_.1
cpe:/a:oracle:oracle8i:standard_8.1.7_.4
cpe:/a:oracle:oracle9i:standard_9.0.2
cpe:/a:oracle:oracle9i:personal_9.2.0.1
cpe:/a:oracle:oracle9i:standard_9.0.1
cpe:/a:oracle:enterprise_manager:9Oracle Enterprise Manager 9.0i
cpe:/a:oracle:application_server:9.0.2.1Oracle Oracle10g Application Server 9.0.2.1
cpe:/a:oracle:application_server:9.0.2.2Oracle Oracle9i Application Server 9.0.2.2
cpe:/a:oracle:application_server:9.0.4.0Oracle Oracle10g Application Server 9.0.4.0
cpe:/a:oracle:oracle10g:enterprise_10.1.0.2
cpe:/a:oracle:oracle8i:standard_8.1.7
cpe:/a:oracle:application_server:9.0.2.3Oracle Application Server 10g 9.0.2.3
cpe:/a:oracle:application_server:9.0.4.1Oracle Application Server 10g 9.0.4.1
cpe:/a:oracle:oracle8i:enterprise_8.1.5_.1.0
cpe:/a:oracle:oracle8i:standard_8.1.5
cpe:/a:oracle:oracle9i:enterprise_9.2.0.5
cpe:/a:oracle:oracle9i:enterprise_9.2.0.1
cpe:/a:oracle:oracle9i:enterprise_9.2.0.2
cpe:/a:oracle:oracle9i:enterprise_9.2.0.3
cpe:/a:oracle:oracle9i:enterprise_9.2.0.4
cpe:/a:oracle:oracle9i:personal_9.2
cpe:/a:oracle:oracle8i:standard_8.1.6
cpe:/a:oracle:oracle8i:enterprise_8.0.6_.0.0
cpe:/a:oracle:oracle8i:enterprise_8.1.6_.0.0
cpe:/a:oracle:oracle9i:personal_9.0.1.5
cpe:/a:oracle:application_server:9.0.2Oracle Application Server 9i 9.0.2
cpe:/a:oracle:oracle10g:personal_10.1_.0.2
cpe:/a:oracle:oracle9i:personal_9.0.1.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1367
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1367
(官方数据源) NVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110382247308064&w=2
(UNKNOWN)  BUGTRAQ  20041223 Oracle clear text passwords (#NISR2122004D)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1
(UNKNOWN)  SUNALERT  101782
http://www.kb.cert.org/vuls/id/316206
(UNKNOWN)  CERT-VN  VU#316206
http://www.ngssoftware.com/advisories/oracle23122004D.txt
(VENDOR_ADVISORY)  MISC  http://www.ngssoftware.com/advisories/oracle23122004D.txt
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
(VENDOR_ADVISORY)  CONFIRM  http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
http://www.us-cert.gov/cas/techalerts/TA04-245A.html
(UNKNOWN)  CERT  TA04-245A

- 漏洞信息

14565
Oracle postDBCreation.log Cleartext Password Disclosure
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public Vendor Verified

- 漏洞描述

Oracle 10g contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a password containing an exclamation point is for the DBSNMP or SYSMAN user occurs entered during installation, which will disclose password by logging it to postDBCreation.log which is world readable resulting in a loss of confidentiality.

- 时间线

2004-12-23 Unknow
2004-12-23 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站