Hi, 

There is a security risk with catsnmp catalog (in 
$ORACLE_HOME/rdbms/admin) 
  which is shipped with 8i/9i releases. 
  -- 
  Details : this file drop and recreate user dbsnmp with default 
password 
  "dbsnmp" and give him some database privileges. 
  For 8i releases, these privileges are mostly grants on V_$ views 
  For 9i releases, this user is granted with "SELECT ANY DICTIONARY" 
privilege 
  which is a powerful one (can see any sys objects like link$ which 
stores unencrypted passwords) 
   -- 
  One can argue that the security policy of the site should ensure that 
default passwords 
  must be changed.. 
  But even in this case, I'm sure that over the time many databases will 
reverse to the default 
  password because catproc.sql (which execute automatically catsnmp) is 
required by Oracle 
  when applying patchsets and sometimes individual patches. 
  _ 
  I asked Oracle one week ago to place an alert on that matter and was 
referred by support analyst 
  to bug #2432163 which is publically visible in their Metalink site. 
  (i thought naively that all security problems were kept out from 
prying eyes...) 

  They refused to escalate this bug to severity 1 because there is a 
workaround (disabling this user). 
   BUT most oracle dbas don't know about this risky behavior in their 
back !!