COMMAND

	Oracle  has  default  user  account  dbsnmp  that   permits   priviledge
	escalation

SYSTEMS AFFECTED

	Oracle 8i/9i releases

PROBLEM

	Gilles Parc says :
	

	There   is    a    security    risk    with    catsnmp    catalog    (in
	$ORACLE_HOME/rdbms/admin) which is shipped  with  8i/9i  releases.  This
	file drop and recreate user dbsnmp with default  password  "dbsnmp"  and
	give him some database privileges.
	

	For 8i releases, these privileges are mostly grants on V_$ views
	

	For 9i releases, this user  is  granted  with  "SELECT  ANY  DICTIONARY"
	privilege which is a powerful one (can see any sys  objects  like  link$
	which stores unencrypted passwords)
	

	One can argue that the security policy of the site  should  ensure  that
	default passwords must be changed.. But even  in  this  case,  I'm  sure
	that over the time many databases will reverse to the  default  password
	because catproc.sql (which execute automatically  catsnmp)  is  required
	by Oracle when applying patchsets and sometimes individual patches.

SOLUTION

	Oracle set bug-id [#2432163], nothing else yet.