Threat Finder

Threat ID
7
Threat Date
08/06/2007
Threat Name
Default database password
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Weak Passwords
Versions
All versions of Oracle
Summary
Oracle is installed with a list of well-known usernames and passwords. If a default password has not been changed, an attacker can easily break into a database.
Overview
There is a large number of well-known account/password combinations that can be used by an attacker to break into a database.

These account/password combinations are created from several sources:
1 - installed by default with the database
2 - installed when additional components or 3rd party applications are installed
3 - installed when running samples

After installing a database, you should immediately change any default usernames and passwords.
References
http://www.oracle.com/pls/db111/db111.drilldown?remark=&word=default+passwords&expand_all=1
http://www.oracle.com/pls/db92/db92.drilldown?remark=&word=default+passwords&expand_all=1
VMSKey
V0015635
STIGID
DG0128

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by