Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "CERT Issues Alert for Oracle"] [Next entry: "DBMS_SCHEDULER as a new alternative for DBMS_JOB by Patrick Sinke"]

Oracles default password scanner released with CPU April 2006

I have just downloaded the default password scanner released with the April 2006 CPU. This is only available via metalink and is referenced in the CPU advisory. The Metalink note 361482.1 to access the tool decsribes what it is, how to download it, where to use it etc. This note then references a patch that can be downloaded that includes an SQL script and a detailed document about default passwords.

The script is a simple select statement that checks if the username exists with the known password hash for each default user. This is different to my own default password scanner as mine also includes details of the actual password. The new Oracle tool does not include the passwords.

The tool includes around 689 passwords. The big difference with this tool and mine also is that it includes a lot of PeopleSoft default accounts and also some JD Edwards accounts. I guess we both include most of the E-Business Suite ones.

The document is excellent though. It includes details of all default accounts listed in the tool and also details on how to change the passwords. This is very useful as some accounts you cannot simply change the password in the database you also need to change it in config files or elsewhere.

This is a useful tool and worth downloading. So come on Oracle make the document and the tool publically available!!! not just from Metalink.