MFT SFTP Embedded server allows access even with wrong password
(Doc ID 3036646.1)
Last updated on JULY 29, 2024
Applies to:
Oracle Managed File Transfer - Version 12.2.1.4.0 and laterInformation in this document applies to any platform.
Symptoms
On : 12.2.1.4.0 version, MFT Runtime Server
Anyone connecting through SFTP using an admin LDAP account via a client application (ex WinSCP) is allowed connectivity to MFT FTP Embedded server folders regardless of the password provided.
Oracle MFT does some authentication in the background which eventually locks of the account, but a user can temporarily access all directories in account.
Authentication through local accounts is not affected.
LDAP admin group is given admin rights via the "Roles and Policies" > "Global Roles" > "Roles" > "Admin"
ERROR
-----------------------
[2024-02-21T00:30:13.152+00:00] [mft_server1] [TRACE] [] [oracle.mft.EMBEDDED_SERVER] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SRC_CLASS: oracle.tip.mft.common.logging.api.LogService] [SRC_METHOD: __log] oracle.mft.EMBEDDED_SERVER.: Authenticating user: xxxxx
[2024-02-21T00:30:13.357+00:00] [mft_server1] [ERROR] [] [oracle.mft.SECURITY] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] Exception while Authenticating User :xxxxx[[
oracle.igf.ids.AuthenticationException: Authentication failed for user uid=xxxxx,ou=people,dc=openiamdemo,dc=com. AdditionalInfo: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]
at oracle.igf.ids.arisid.ArisIdServiceManager.findEntity(ArisIdServiceManager.java:1701)
at oracle.igf.ids.UserManager.authenticateUser(UserManager.java:532)
at oracle.igf.ids.UserManager.authenticateUser(UserManager.java:465)
at oracle.tip.mft.security.IdentityServiceImpl.authenticate(IdentityServiceImpl.java:153)
at oracle.tip.mft.es.MFTESAuthenticationManagerImpl.authenticate(MFTESAuthenticationManagerImpl.java:92)
at oracle.tip.es.security.authentication.impl.PasswordAuthenticatorSSH.authenticate(PasswordAuthenticatorSSH.java:101)
at org.apache.sshd.server.auth.UserAuthKeyboardInteractive.checkPassword(UserAuthKeyboardInteractive.java:75)
at org.apache.sshd.server.auth.UserAuthKeyboardInteractive.doAuth(UserAuthKeyboardInteractive.java:68)
at org.apache.sshd.server.auth.AbstractUserAuth.next(AbstractUserAuth.java:53)
at org.apache.sshd.server.session.ServerUserAuthService.process(ServerUserAuthService.java:159)
at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:456)
at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:351)
at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:810)
at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:333)
at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.sshd.common.io .nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: oracle.igf.ids.arisid.ArisIdAuthException: Authentication failed for user uid=xxxxxx,ou=people,dc=openiamdemo,dc=com. AdditionalInfo: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]
at com.oracle.ovd.arisid.OvdStackUtil.checkPasswordPolicyException(OvdStackUtil.java:835)
at com.oracle.ovd.arisid.OvdIdsStackProvider.doFind(OvdIdsStackProvider.java:1445)
at com.oracle.ovd.arisid.ArisIdStackProvider.doFind(ArisIdStackProvider.java:172)
at org.openliberty.arisid.Interaction.doFind(Interaction.java:1022)
at oracle.igf.ids.arisid.ArisIdServiceManager.findEntity(ArisIdServiceManager.java:1632)
... 25 more
]]
[2024-02-21T00:30:13.358+00:00] [mft_server1] [TRACE] [] [oracle.mft.SECURITY] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SRC_CLASS: oracle.tip.mft.common.logging.api.LogService] [SRC_METHOD: __log] oracle.mft.SECURITY.: Exception while authenticating the user:xxxxxxx
[2024-02-21T00:30:13.360+00:00] [mft_server1] [TRACE] [] [oracle.mft.SECURITY] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SRC_CLASS: oracle.tip.mft.common.logging.api.LogService] [SRC_METHOD: __log] oracle.mft.SECURITY.: Embedded Server Authentication request for user: xxxxxxx from Client Host: xxxxxxxxxxxx and Client IP: xxxxxxxxxxxxxx
[2024-02-21T00:30:13.360+00:00] [mft_server1] [ERROR] [] [oracle.mft.EMBEDDED_SERVER] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] Authentication failed, Invalid subject
BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, unauthorized users are allowed access to MFT SFTP Embedded server
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |