My Oracle Support Banner

Password Not Validated in Login Process (Doc ID 2991792.1)

Last updated on DECEMBER 12, 2023

Applies to:

Oracle Communications Billing and Revenue Management - Version 12.0.0.8.0 and later
Information in this document applies to any platform.

Symptoms

On Billing and Revenue Manager 12.0 PatchSet 8 (BRM 12.0 PS8) it was found out that one can connect with a bad password.

The following test case was performed:
Upgrade pin.service_t table and set passwd column in plain text format (not md5, not aes or ozt).
Because BRM 12.0 PS8 is not able to validate the password - anyone can login in BRM with a bad password. Looks like password is not validated if can't be decrypted.


Test Case:
--------------
1. Old password: root.0.0.0.1 password

2.
update service_t set passwd = 'passwordXXXXX' where poid_id0 in (1,2);
commit;

select poid_id0, poid_type, login, passwd, status from service_t where poid_id0 in (1,2) and poid_type in ('/service/pcm_client', '/service/admin_client');

POID_ID0   POID_TYPE                LOGIN           PASSWD          STATUS
---------- --------------------     --------------- ----------      -------
1           /service/pcm_client        root.0.0.0.1    passwordXXXXX    10100
2           /service/admin_client    root.0.0.0.1    passwordXXXXX    10100


3. test a connection with a bad password
    i.
    $ cd <BRM_HOME>/sys/test
    $ grep "^\- nap login_name" pin.conf
    - nap login_name root.0.0.0.1

    $grep "^\- nap login_pw" pin.conf
    <no_rows>

    ii. Password is in the wallet:
    $ pin_config_editor -getconf -wallet $PIN_HOME/wallet/client -parameter "-.login_pw"
    Enter Password for the wallet:
    P2r1bpcM0E                                   ####IMPORTANT NOTE: It can be any password. "P2r1bpcM0E" was picked-up randomly just for learning purposes.

       

    iii. Use testnap to connect:
    $ testnap
    ===> database 0.0.0.1 from pin.conf "userid"
    nap(1486856)> id
    0.0.0.1 /service/pcm_client 1 14476004
    0.0.0.1 /event/session 0 0
      NULL trans_flist
    nap(1486856)>


   POID_DB   POID_ID0  POID_TYPE           POID_REV
    ----------  ---------- ---------------          ---------------
             1          1      /service/pcm_client 14476004
    1 row selected.


CONCLUSION: BRM12 PS8 connects with user "root.0.0.0.1" using an incorrect password (P2r1bpcM0E).
Note: with any password testnap connects fine.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.