Users Can Execute Commands Not Allowed In Policy By Adding A Newline Character. (Doc ID 2231413.1)

Last updated on FEBRUARY 22, 2017

Applies to:

Oracle Privileged Account Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

Users can bypass the whitelist and blacklist command policies by adding a newline character to their command line.

In the following example, The usage policy  whitelist commands do not include the "ls" command.

When a user enters the "ls -lart" command it shows "Not allowed" as expected. However if a user then copies the entire line (with blank space) and pastes into the OPAMSH# prompt the command is executed.

OPAMSH# ls -lart
ls -l -lart : Not allowed
OPAMSH# ls -lart
ls -l -lart : Not allowedls -lart
total 40
-rw-r--r-- 1 opam_unix1 oracle 6 May 11 2015 testfile1
-rw-r--r-- 1 opam_unix1 oracle 6 May 11 2015 testfile2
-rw------- 1 opam_unix1 oracle 708 May 11 2015 .viminfo
drwx------ 5 opam_unix1 oracle 4096 May 11 2015 .
-rw------- 1 opam_unix1 oracle 1410 Jan 10 02:07 .bash_history

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms