My Oracle Support Banner

MFT SFTP Embedded server allows access even with wrong password (Doc ID 3036646.1)

Last updated on JULY 29, 2024

Applies to:

Oracle Managed File Transfer - Version 12.2.1.4.0 and later
Information in this document applies to any platform.

Symptoms

On : 12.2.1.4.0 version, MFT Runtime Server

Anyone connecting through SFTP using an admin LDAP account via a client application (ex WinSCP) is allowed connectivity to MFT FTP Embedded server folders regardless of the password provided.

Oracle MFT does some authentication in the background which eventually locks of the account, but a user can temporarily access all directories in account.

Authentication through local accounts is not affected.

LDAP admin group is given admin rights via the "Roles and Policies" > "Global Roles" > "Roles" > "Admin"

ERROR
-----------------------
[2024-02-21T00:30:13.152+00:00] [mft_server1] [TRACE] [] [oracle.mft.EMBEDDED_SERVER] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SRC_CLASS: oracle.tip.mft.common.logging.api.LogService] [SRC_METHOD: __log] oracle.mft.EMBEDDED_SERVER.: Authenticating user: xxxxx
[2024-02-21T00:30:13.357+00:00] [mft_server1] [ERROR] [] [oracle.mft.SECURITY] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] Exception while Authenticating User :xxxxx[[
oracle.igf.ids.AuthenticationException: Authentication failed for user uid=xxxxx,ou=people,dc=openiamdemo,dc=com. AdditionalInfo: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]
at oracle.igf.ids.arisid.ArisIdServiceManager.findEntity(ArisIdServiceManager.java:1701)
at oracle.igf.ids.UserManager.authenticateUser(UserManager.java:532)
at oracle.igf.ids.UserManager.authenticateUser(UserManager.java:465)
at oracle.tip.mft.security.IdentityServiceImpl.authenticate(IdentityServiceImpl.java:153)
at oracle.tip.mft.es.MFTESAuthenticationManagerImpl.authenticate(MFTESAuthenticationManagerImpl.java:92)
at oracle.tip.es.security.authentication.impl.PasswordAuthenticatorSSH.authenticate(PasswordAuthenticatorSSH.java:101)
at org.apache.sshd.server.auth.UserAuthKeyboardInteractive.checkPassword(UserAuthKeyboardInteractive.java:75)
at org.apache.sshd.server.auth.UserAuthKeyboardInteractive.doAuth(UserAuthKeyboardInteractive.java:68)
at org.apache.sshd.server.auth.AbstractUserAuth.next(AbstractUserAuth.java:53)
at org.apache.sshd.server.session.ServerUserAuthService.process(ServerUserAuthService.java:159)
at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:456)
at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:351)
at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:810)
at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:333)
at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.sshd.common.io .nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: oracle.igf.ids.arisid.ArisIdAuthException: Authentication failed for user uid=xxxxxx,ou=people,dc=openiamdemo,dc=com. AdditionalInfo: LDAP Error 49 : [LDAP: error code 49 - Invalid Credentials]
at com.oracle.ovd.arisid.OvdStackUtil.checkPasswordPolicyException(OvdStackUtil.java:835)
at com.oracle.ovd.arisid.OvdIdsStackProvider.doFind(OvdIdsStackProvider.java:1445)
at com.oracle.ovd.arisid.ArisIdStackProvider.doFind(ArisIdStackProvider.java:172)
at org.openliberty.arisid.Interaction.doFind(Interaction.java:1022)
at oracle.igf.ids.arisid.ArisIdServiceManager.findEntity(ArisIdServiceManager.java:1632)
... 25 more

]]
[2024-02-21T00:30:13.358+00:00] [mft_server1] [TRACE] [] [oracle.mft.SECURITY] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SRC_CLASS: oracle.tip.mft.common.logging.api.LogService] [SRC_METHOD: __log] oracle.mft.SECURITY.: Exception while authenticating the user:xxxxxxx
[2024-02-21T00:30:13.360+00:00] [mft_server1] [TRACE] [] [oracle.mft.SECURITY] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SRC_CLASS: oracle.tip.mft.common.logging.api.LogService] [SRC_METHOD: __log] oracle.mft.SECURITY.: Embedded Server Authentication request for user: xxxxxxx from Client Host: xxxxxxxxxxxx and Client IP: xxxxxxxxxxxxxx
[2024-02-21T00:30:13.360+00:00] [mft_server1] [ERROR] [] [oracle.mft.EMBEDDED_SERVER] [tid: sshd-SshServer[3d2509e8]-nio2-thread-2] [userId: ] [ecid: xxxxxxxxxxxxx] [APP: mft-app] [partition-name: DOMAIN] [tenant-name: GLOBAL] Authentication failed, Invalid subject


BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, unauthorized users are allowed access to MFT SFTP Embedded server

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.