Name Unprivileged DB users can see APEX password hashes Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) Severity High Risk Category Password Disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) CVE CVE-2009-0981 Advisory 14 April 2009 (V 1.00) Details: Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER. SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS USER_NAME WEB_PASSWORD2 ---------------------------------------------------------------------- YURI 141FA790354FB6C72802FDEA86353F31 This password hash can be checked using a tool like Repscan. Additional information is available in the following advisory. Advisory: http://www.red-database-security.com/advisory/apex_password_hashes.html Patch Information: Upgrade to Oracle APEX 3.2. Verification: Our Oracle database scanner Repscan was updated with the information from the Oracle CPU April 2009 and can identify vulnerable databases. More Information about Repscan can be found here: http://www.sentrigo.com/repscan History: 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published About Red-Database-Security: Red-Database-Security is the leading company for Oracle security. Within the last 6 years we reported several hundred vulnerabilities to Oracle. -- (c) 2009 by Red-Database-Security GmbH http://www.red-database-security.com