My Oracle Support Banner

Password Not Validated in Login Process (Doc ID 2991792.1)

Last updated on DECEMBER 12, 2023

Applies to:

Oracle Communications Billing and Revenue Management - Version and later
Information in this document applies to any platform.


On Billing and Revenue Manager 12.0 PatchSet 8 (BRM 12.0 PS8) it was found out that one can connect with a bad password.

The following test case was performed:
Upgrade pin.service_t table and set passwd column in plain text format (not md5, not aes or ozt).
Because BRM 12.0 PS8 is not able to validate the password - anyone can login in BRM with a bad password. Looks like password is not validated if can't be decrypted.

Test Case:
1. Old password: root. password

update service_t set passwd = 'passwordXXXXX' where poid_id0 in (1,2);

select poid_id0, poid_type, login, passwd, status from service_t where poid_id0 in (1,2) and poid_type in ('/service/pcm_client', '/service/admin_client');

POID_ID0   POID_TYPE                LOGIN           PASSWD          STATUS
---------- --------------------     --------------- ----------      -------
1           /service/pcm_client        root.    passwordXXXXX    10100
2           /service/admin_client    root.    passwordXXXXX    10100

3. test a connection with a bad password
    $ cd <BRM_HOME>/sys/test
    $ grep "^\- nap login_name" pin.conf
    - nap login_name root.

    $grep "^\- nap login_pw" pin.conf

    ii. Password is in the wallet:
    $ pin_config_editor -getconf -wallet $PIN_HOME/wallet/client -parameter "-.login_pw"
    Enter Password for the wallet:
    P2r1bpcM0E                                   ####IMPORTANT NOTE: It can be any password. "P2r1bpcM0E" was picked-up randomly just for learning purposes.


    iii. Use testnap to connect:
    $ testnap
    ===> database from pin.conf "userid"
    nap(1486856)> id /service/pcm_client 1 14476004 /event/session 0 0
      NULL trans_flist

    ----------  ---------- ---------------          ---------------
             1          1      /service/pcm_client 14476004
    1 row selected.

CONCLUSION: BRM12 PS8 connects with user "root." using an incorrect password (P2r1bpcM0E).
Note: with any password testnap connects fine.




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.