Oracle security check result.

hi,

We have some Oracle security related issue, are they really necessary ? please share your though.

1) Description: 1.1.10 Change the default password for 'OLAPSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The OLAPSYS account owns the online analytical processing (OLAP) catalog. OLAP applications are developed/operate to use business
intelligence and data warehousing systems and OLAP is optimized for this type of application.
Finding:
The OLAPSYS user has default password using 11G or 10G password hashing mechanism.



2) Description: 1.1.12 Change the default password for 'ORDDATA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The ORDDATA user operationalizes/owns the Oracle Multimedia DICOM modality: Digital Imaging and Communications in Medicine
(DICOM), which is the industry standard for medical imaging, enables the Database to store, manage, and manipulate all DICOM format
medical content.


3) Description: 1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SI_INFORMTN_SCHEMA functions as the location for storing plugins supplied by Oracle and all other third-party plugins.
Finding:
The SI_INFORMTN_SCHEMA user has default password using 11G or 10G password hashing mechanism.
Rationale:
As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted to allow
the installation of malware disguised as third-party multimedia plugins, this value should be reset according to the needs of the organization.


4) Description: 1.1.19 Change the default password for 'SPATIAL_CSW_ADMIN_USR' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SPATIAL_CSW_ADMIN_USR account owns the Catalog Services for the Web (CSW) capabilities, which are used by Oracle to load
record-type metadata and instances from the DB into the main memory when these records are cached.
Finding:
The SPATIAL_CSW_ADMIN_USR user has default password using 11G or 10G password hashing mechanism.

5) Description: 1.1.20 Change the default password for 'SPATIAL_WFS_ADMIN_USR' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SPATIAL_WFS_ADMIN_USR account owns the Web Feature Service (WFS) capabilities, which are used by Oracle to load feature
instance/metadata from the DB into the main memory when these are pulled from a cache.
Finding:
The SPATIAL_WFS_ADMIN_USR user has default password using 11G or 10G password hashing mechanism.


6) Description: 1.1.2 Change the default password for 'APPQOSSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The APPQOSSYS account manages/owns all Quality of Service objects and provides an intuitive, policy-driven system to manage service
level requirements.

7)   Description: 1.1.26 Change the default password for 'WMSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The WMSYS account stores manages all metadata for the Workspace manager, which provides a virtual environment to isolate
workspaces, such as a collection of changes to production data, or keep a changes history, allowing the creation of "what if" scenarios.
Finding:
The WMSYS user has default password using 11G or 10G password hashing mechanism.

8)

Description: 1.1.27 Change the default password for 'XDB' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The XDB account enables high-performance storage and retrieval of XML data.
Finding:
The XDB user has default password using 11G or 10G password hashing mechanism.

9) Description: 1.1.4 Change the default password for 'DBSNMP' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The DBSNMP account is used by the Oracle Enterprise Manager to monitor and manage the database.
Finding:
The DBSNMP user has default password using 11G or 10G password hashing mechanism.

10 )
Description: 1.1.5 Change the default password for 'DIP' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The DIP account supports the operation of the Oracle Internet Directory and Oracle Label Security.
Finding:
The DIP user has default password using 11G or 10G password hashing mechanism.

11)
Description: 1.1.3 Change the default password for 'CTXSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The CTXSYS is used to administer Oracle Text.
Finding:
The CTXSYS user has default password using 11G or 10G password hashing mechanism.

12)
Description: 1.1.8 Change the default password for 'MDSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The MDSYS is the user in that operationalizes the Oracle Multimedia Locator, which serves as part of the storage, management, and
retrieval of audio/video images.
Finding:
The MDSYS user has default password using 11G or 10G password hashing mechanism.

13)

Description: 1.1.7 Change the default password for 'MDDATA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The MDDATA account owns the schema used by Oracle Spatial for storing Geocoder and router data, which allows the plotting of
datapoints, such as market locations/types, against latitude and longitude on a map, in a way similar to a GPS presentation.
Finding:
The MDDATA user has default password using 11G or 10G password hashing mechanism.

14)
Description: Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows
local users to affect confidentiality, integrity, and availability via unspecified vectors.
Fixed in CPU Apr 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.

15)
Description: Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote
attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fixed in CPU Jul 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.

16) Description: Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4 and 12.1.0.2 allows
remote attackers to affect availability via unknown vectors.
Fixed in CPU Jul 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3479

17)

Description: Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4,
12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows low privileged attacker having Create session privilege with logon to the
infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Core RDBMS. Note: This score is
for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope
Unchanged.
Fixed in CPU October 2017.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.



18)
Description: 1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SI_INFORMTN_SCHEMA functions as the location for storing plugins supplied by Oracle and all other third-party plugins.
Finding:
The SI_INFORMTN_SCHEMA user has default password using 11G or 10G password hashing mechanism.
Rationale:
As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted to allow
the installation of malware disguised as third-party multimedia plugins, this value should be reset according to the needs of the organization.


Question is, changing all those password is ok ?
LVL 1
marrowyungSenior Technical architecture (Data)Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

slightwv (䄆 Netminder) Commented:
>>Question is, changing all those password is ok ?

In my databases it is.  I cannot speak for your databases.  Most of those accounts should be "EXPIRED & LOCKED".  If they are in your system, then change the passwords since nothing is logging in as them.

If one or more of them are "OPEN", I would check with the DBA and/or Administrators/System Analysts to see what might be using them.

Here is the query:
select username, account_status from dba_users;

In 12c there is now a LAST_LOGIN column in dba_users that will provide additional information.  If they haven't been logged into forever, probably safe to change the passwords but again, we cannot say for sure because we don't know your system.
0
Geert GOracle dbaCommented:
this is a standard "holes" document of an attack and penetration test

off course you should change the default password for all the accounts

never seen any movies were a seal team comes in and uses the default code to open the bank safe ?
or the front door with number lock ?

same thing
0
btanExec ConsultantCommented:
1-14,18) ORACLE creates a default account with those user ID such as "XDB" (and others) and mostly with password "CHANGE_ON_INSTALL". It is best practice to remove default accounts, if not used and possible. For accounts required by the system, the default password should be changed. This account grants user level access to the system. In fact, those "change default password" findings are in best practice (and compliance check) found in CIS benchmark. The rationale is shared in the document.

http://www.itsecure.hu/library/image/CIS_Oracle_Database_Server_11g_R2_on_Oracle_Linux_5_Benchmark_v1.0.0-A2.pdf

The rest are due to its poorly patch state - using very old version which goes all the way back to 2014. These vulnerabilities can be exploited and lead to further damage through

14-16) https://nvd.nist.gov/view/vuln/search-results?cpe=cpe%3A%2Fa%3Aoracle%3Adatabase_server%3A12.1.0.1&page_num=0&cid=3
17) https://nvd.nist.gov/view/vuln/search-results?cpe=cpe%3A%2Fa%3Aoracle%3Adatabase%3A11.2.0.4&page_num=0&cid=3
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

marrowyungSenior Technical architecture (Data)Author Commented:
the point is usually we worry about sysdba and sysadm, I can't see so much other type of account.
0
btanExec ConsultantCommented:
It is about doing first time right.

All aware of the SYS and SYSTEM users that are loaded with high-level database privileges to perform every database administrative task imaginable.
For this reason, yet not often adhered to, the SYS and SYSTEM accounts should nearly never be used. Instead grant specific privileges to pseudo database administrative accounts.

We need to protect against the use and miss-use of these two important accounts.

Likewise, the other predefined administrative accounts should be handled with the same amount of caution.

But assumption trap kick in.
DBAs and developers often, in an attempt to hurry testing, may grant higher levels of privileges to these accounts.

This has the potential to create great harm if any form of migration were to happen from development or test into a production environment and these accounts were propagated as well. Such exposure should be avoid otherwise attacker will haunt for these and pivot remotely into the systems to do more harm.
0
marrowyungSenior Technical architecture (Data)Author Commented:
"But assumption trap kick in.
DBAs and developers often, in an attempt to hurry testing, may grant higher levels of privileges to these accounts."

yes I knew.

but actually all those permission stuff I post is normal in  all oracle DB but I don't think all orace DB will have it, right?
0
marrowyungSenior Technical architecture (Data)Author Commented:
"1-14,18) ORACLE creates a default account with those user ID such as "XDB" (and others) and mostly with password "CHANGE_ON_INSTALL"."


15-17, do you think it is really just update products?
0
slightwv (䄆 Netminder) Commented:
>>15-17, do you think it is really just update products?

It does appear you just need to make sure you are patched.
0
btanExec ConsultantCommented:
Oracle creates a number of default database users or schemas when a new database is created. Later version will have more. E.g. Oracle Database 12c, the list of default accounts below.
https://docs.oracle.com/database/121/NTDBI/startrdb.htm#NTDBI2845

For the patches, it is just that. Unless you are not able to do it then it is the workaround that need to be in place. You can rescan to confirm and note that changes may need reboot.
0
marrowyungSenior Technical architecture (Data)Author Commented:
"Oracle creates a number of default database users or schemas when a new database is created. Later version will have more. E.g. Oracle Database 12c, the list of default accounts below.
"

in this case the oracle DBA has a lot of thing to do on that ! change all password is time consuming .
0
slightwv (䄆 Netminder) Commented:
>>change all password is time consuming .

Not really.  Besides, that is part of the job of a DBA.

Since NO ONE EVER needs to log into them, you don't really need to remember the passwords.

Have SQL generate the SQL.  Then just exeecute it:
select 'alter user ' || username || ' identified by ' || dbms_random.string('a',10) || ';' from dba_users where username in ('XDB','CTXSYS');

Open in new window


Just add to the list of usernames you need to change.

Takes seconds per database.
0
btanExec ConsultantCommented:
To add on default password can be search and change. See the script. You can add on if needed but should quite comprehensive already.
https://www.google.com.sg/amp/s/maxwellmiranda.wordpress.com/2011/03/08/script-to-find-default-oracle-user-passwords/amp/

 in case you want to see official oracle advice
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_user_accounts.htm#BABJAEDF

Some others also
. If you find default accounts with default passwords, then do two things.
First decide if the account can be removed. It should be possible in almost all cases. If it can remove it.

 If not change the password, lock and expire the account and audit access to them. Also use the password management features particularly on default accounts.
0
slightwv (䄆 Netminder) Commented:
>>See the script. You can add on if needed but should quite comprehensive already.

The password column is no longer populated in 12c so that script likely won't help.

The link to the Oracle documentation is good.  I would go with the docs.

You should always go with the version of the documentation you are running.

Here is the 12.2 version.  
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/tdpsg/securing-the-database-installation-and-configuration.html#GUID-8884D9B2-34BD-4D73-8E8F-16E8A539F1C1


Putting that into my query:
select 'alter user ' || username || ' identified by ' || dbms_random.string('a',10) || ';' 
from dba_users where username in (select username from DBA_USERS_WITH_DEFPWD);

Open in new window

0
Geert GOracle dbaCommented:
lol, default password list ... had a good laugh with that
0
marrowyungSenior Technical architecture (Data)Author Commented:
slightwv ,

"Besides, that is part of the job of a DBA."

I mean not that expensive and much!

"Have SQL generate the SQL.  Then just execute it:"

So still need time to add one by one. MS SQL don't need that except the account is created for service use that sometimes we don't prefer to have password change, that's is also good as we can have virtual account for SQL server operation as it has no password at all ! no need to change at all.
0
Geert GOracle dbaCommented:
lol, comparing mssql to oracle ?

So still need time to add one by one.
Well, if you're clever you can setup a dos/bash script which resets all the default passwords
some auditing departments want a "complex" password

i've made a script which runs daily to reset the system/sys password to something random
some vendors actually used sys to login, after i reset that password all hell broke loose
they came up with an idiot story for some missing privs and was given the password
they thought they were ok again ... until the day after
they finally decided to follow the rules and use a separate account

it's not only about the default passwords, it's about the whole security thingy
protect access to your systems and especially to high priviliged accounts
0
marrowyungSenior Technical architecture (Data)Author Commented:
"lol, comparing mssql to oracle ?"

why not ? this kind of compare can be a good learning step stone.


"it's not only about the default passwords, it's about the whole security thingy
protect access to your systems and especially to high priviliged accounts"

I knew, the question I am asking is about a result from a scanning process.
0
slightwv (䄆 Netminder) Commented:
>>virtual account for SQL server operation as it has no password at all ! no need to change at all.

You can also have Oracle users that authenticate outside of the database and have no password.  So?

The question you asked is about schemas Oracle creates for you and some cannot be removed.  Some can.  That depends on the features and options you need.  Those schemas have passwords.  The scan is telling you that you need to change the default passwords.

You do realize that you could have had them all done on ALL the databases you have several times by now.  Right?

>>So still need time to add one by one

Move the SQL into a PL/SQL block and use execute immediate to execute it real time.  Then if you have several databases to execute against, script it!

A word of caution:  Before you script and change passwords, you  might want to tweak the SQL to look for locked accounts with default passwords.  If the account is unlocked some process might be using it even with the default password.  If you change it, things might break.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
another thought is that if those default account is not needed, then consider "locking" them out and render not "usable". otherwise opt for the risk acceptance is really deem it is so unfriendly but the aftermath of the damage control may be costly when (not if) hacker exploits  the default account to gain access and penetrate. Sometimes it is also driven by compliance to close them up.
0
slightwv (䄆 Netminder) Commented:
Most, if not all, of them are locked and expired by default.
0
marrowyungSenior Technical architecture (Data)Author Commented:
slightwv,

"If the account is unlocked some process might be using it even with the default password.  If you change it, things might break."

you mean application still using it and that's why it is unlocked ?


"Most, if not all, of them are locked and expired by default."

sorry I am confused.
0
slightwv (䄆 Netminder) Commented:
>>you mean application still using it and that's why it is unlocked ?

Something/someone at some time has unlocked the account which means they needed to do so.  If it still needs to be unlocked, we have no idea.  That is something your apps/DBAs/systems folks will need to tell you.

>>sorry I am confused.

When you create a database, you get many default users and schemas.  That is what the security check looked at.  MOST of them are created with a LOCKED and EXPIRED status so no one can log into them unless a DBA unlocks them.

Check the docs for allowed account_status column values.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/refrn/DBA_USERS.html#GUID-309FCCB2-2E8D-4371-9FC5-7F3B10E2A8C0


Here is a subset from one of my databases:
SQL>  select username,account_status from dba_users where username in ('XDB','CTXSYS','ANONYMOUS');
XDB                            LOCKED
ANONYMOUS                      EXPIRED & LOCKED
CTXSYS                         OPEN

Open in new window

0
marrowyungSenior Technical architecture (Data)Author Commented:
tks all, might come back later for this is really necessary.
0
slightwv (䄆 Netminder) Commented:
>>might come back later for this is really necessary.

No need to come back later:
It is all about security and risk mitigation.  With that is perceived and actual.

First rule is there is no such thing as a 100% secure computer.

Once of the most secure computers is one with no cables, keyboards or power connected, encased in 5 feet of steel reinforced concrete and dropped off a boat in the Mariana Trench.  Then there is everything else.

There are known vulnerabilities in those packages and security testers know to look for them.  They do a scan and make recommendations about possible security risks.  Many times they have no idea about the impacts of their suggestions.

It is up to Management to accept any risk of not following those recommendations.

For example:  If only one server is allowed to connect to the database server and only one username is unlocked then having PUBLIC execute isn't as big of a deal as a database server open to the entire network with thousands of potential connections.
0
marrowyungSenior Technical architecture (Data)Author Commented:
"Once of the most secure computers is one with no cables, keyboards or power connected, encased in 5 feet of steel reinforced concrete and dropped off a boat in the Mariana Trench.  Then there is everything else.
"
yeah, someone talk about that before and it is very risky once Internet comes up ! before that we are fine ...  :):)

"There are known vulnerabilities in those packages and security testers know to look for them.  They do a scan and make recommendations about possible security risks.  Many times they have no idea about the impacts of their suggestions."

exactly ! I get an MS SQL check that it said turn on C2 Audit ! B.S. !! if it turns on , SQL server CPU super high ! SQL server doesn't works any more.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Oracle Database

From novice to tech pro — start learning today.