Database Administration (MOSC)

Any db users can connect as sysdba?

Aug 21, 2017 11:10AM edited Aug 21, 2017 2:44PM in Database Administration (MOSC) 4 commentsAnswered ✓

We discover a serious security issue within our database.

Any users can connect as sysdba. Even a dummy (non-existing) can connect, with a blank password at prompt.

DEVL> sqlplus /nolog

SQL*Plus: Release 12.1.0.2.0 Production on Mon Aug 21 09:58:50 2017

SQL> connect dummy as sysdba;

Enter password:

Connected.

SQL> show user

USER is "SYS"

SQL>

My pwfile:

SQL> desc v$pwfile_users;

Name Null? Type

----------------------------------------- -------- ----------------------------

USERNAME VARCHAR2(30)

SYSDBA VARCHAR2(5)

SYSOPER VARCHAR2(5)

SYSASM VARCHAR2(5)

SYSBACKUP VARCHAR2(5)

SYSDG VARCHAR2(5)

SYSKM VARCHAR2(5)

CON_ID NUMBER

To view full details, sign in to My Oracle Support Community.

Don't have a My Oracle Support Community account? Click here to get started.