SYS.LINK$ Shows all Database Link Password in Clear Text (Unencrypted)
(Doc ID 202987.1)
Last updated on FEBRUARY 28, 2019
Applies to:Oracle Database - Enterprise Edition - Version 184.108.40.206 to 220.127.116.11 [Release 8.1.7 to 11.2]
Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Cloud Machine - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Backup Service - Version N/A and later
Information in this document applies to any platform.
Checked for relevance on 10-Jun-2013
A database link is a mechanism used to provide a method of transparently accessing one server from another.
When creating a database link, a user name and password of the account on the remote server can be specified. Creating the database link without credentials works only if the user exists on both databases and has the same password.
Once this is done, all queries using the link have the privilege of the indicated account on the remote server. By omitting an account and password when creating a database link, the account and password of the user connecting through the link is used. Indicating the username and password of an account to use for all connections through a link can lead to passwords being exposed.
Prior to version 10gR2 database link passwords are stored as plain text. Users with SELECT privilege on the SYS.LINK$ table could view the passwords in plain text. Setting up links to authenticate as the current user prevents unencrypted passwords from being exposed and provides increased accountability.
Oracle accounts were found with permission to view the table SYS.LINK$. Access to view the table SYS.LINK$ should be restricted because database link passwords are stored unencrypted (prior to 10gR2) in this table.
For all DBAs who are defining or maintaining database links.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!