Pete Finnigan's Oracle Security Weblog

Oracle have sent out an email to all customers of its products warning about the latest variant of the Voyager Worm and in it they make security suggestions as well as providing a link to a free tool to check the default users passwords that are used in the worm. YOu can of course use a much better default password checking tool. The Oracle email is included here in full:

Dear Oracle customer,

Oracle Global Product Security has investigated potentially malicious code that was posted on the Internet on December 29, 2005. It is based on the Voyager code that was posted on the Internet on October 31, 2005, and is designed to target Oracle databases. The new code attempts to take advantage of the same default usernames and passwords for Oracle databases that October¿s code uses, and like October¿s Voyager code, this new code is incomplete, preventing the code from spreading to other machines. Unlike October¿s Voyager code, which did not contain a malicious payload, this new code attempts to stop remote Oracle listeners on machines that have not been properly secured in accordance with the instructions sent to all customers on November 4th, 2005 in response to the Voyager code¿s publication.

Customers who have properly secured their Oracle databases in accordance with the instructions sent in November, or who follow good security lockdown practices of their Oracle listener and database servers, are not vulnerable to this new variant of the Voyager code.

Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Please note that Oracle will also update this MetaLink note if new information becomes available, and will not send additional email for minor changes to the Voyager code or this note.

Oracle has also released a tool to assist customers in verifying the lockdown status of the seven default database accounts used in the Voyager code posted on the Internet on October 31st and December 29th, 2005. This is available via patch # 4926128. This tool does not replace the essential security guidelines outlined in the security checklist and the MetaLink note referenced in this email, nor does it replace the importance of verifying the status of all default database accounts.

Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.

The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1

Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html

http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

Sincerely,
Oracle Global Product Security

PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.