Red-Database-Security GmbH - Oracle Security Advisory Oracle JDeveloper Plaintext Passwords Name Oracle JDeveloper Plaintext Passwords Systems Affected Oracle JDeveloper 9.0.4, 9.0.5, 10.1.2 Severity Low Risk Category Information Disclosure of Passwords Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date 13 July 2005 (V 1.00) Advisory AKSEC2003-006 Oracle Vuln# AS10 Time to fix 148 days Details ####### The JDeveloper configuration files IDEConnections.xml, XSQLConfig.xml and settings.xml contain unencrypted database passwords. Examples ######## 1. Plaintext-Password in IDEConnections.xml 1521 JDBC picard true system ConnectionAlex2 ora10103 oracle.jdbc.driver.OracleDriver mysupersecretpassword1 thin 2. Plaintext-Password in XSQLConfig.xml system mysupersecretpassword1 jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP) (HOST=picard)(PORT=1521)))(CONNECT_DATA=(SID=ora10103))) oracle.jdbc.driver.OracleDriver 3. Plaintext-Password of OTN Account in settings.xml oracle.ideimpl.update.wizard.AuthInfo mysupersecretpassword1 true email@email.com Patch Information ################# Apply patches for Jdeveloper and / or DeveloperSuite mentioned in Metalink Note 311038 on your Jdeveloper / DeveloperSuite Installation (normally your client PC). History ####### 14-feb-2005 Oracle secalert_us was informed 14-feb-2005 Bug confirmed 12-jul-2005 Oracle published Oracle Critical Patch Update July 2005 12-jul-2005 Red-Database-Security published this advisory © 2005 by Red-Database-Security GmbH