Password Not Validated in Login Process
(Doc ID 2991792.1)
Last updated on DECEMBER 12, 2023
Applies to:
Oracle Communications Billing and Revenue Management - Version 12.0.0.8.0 and laterInformation in this document applies to any platform.
Symptoms
On Billing and Revenue Manager 12.0 PatchSet 8 (BRM 12.0 PS8) it was found out that one can connect with a bad password.
The following test case was performed:
Upgrade pin.service_t table and set passwd column in plain text format (not md5, not aes or ozt).
Because BRM 12.0 PS8 is not able to validate the password - anyone can login in BRM with a bad password. Looks like password is not validated if can't be decrypted.
Test Case:
--------------
1. Old password: root.0.0.0.1 password
2.
update service_t set passwd = 'passwordXXXXX' where poid_id0 in (1,2);
commit;
select poid_id0, poid_type, login, passwd, status from service_t where poid_id0 in (1,2) and poid_type in ('/service/pcm_client', '/service/admin_client');
POID_ID0 POID_TYPE LOGIN PASSWD STATUS
---------- -------------------- --------------- ---------- -------
1 /service/pcm_client root.0.0.0.1 passwordXXXXX 10100
2 /service/admin_client root.0.0.0.1 passwordXXXXX 10100
3. test a connection with a bad password
i.
$ cd <BRM_HOME>/sys/test
$ grep "^\- nap login_name" pin.conf
- nap login_name root.0.0.0.1
$grep "^\- nap login_pw" pin.conf
<no_rows>
ii. Password is in the wallet:
$ pin_config_editor -getconf -wallet $PIN_HOME/wallet/client -parameter "-.login_pw"
Enter Password for the wallet:
P2r1bpcM0E ####IMPORTANT NOTE: It can be any password. "P2r1bpcM0E" was picked-up randomly just for learning purposes.
iii. Use testnap to connect:
$ testnap
===> database 0.0.0.1 from pin.conf "userid"
nap(1486856)> id
0.0.0.1 /service/pcm_client 1 14476004
0.0.0.1 /event/session 0 0
NULL trans_flist
nap(1486856)>
POID_DB POID_ID0 POID_TYPE POID_REV
---------- ---------- --------------- ---------------
1 1 /service/pcm_client 14476004
1 row selected.
CONCLUSION: BRM12 PS8 connects with user "root.0.0.0.1" using an incorrect password (P2r1bpcM0E).
Note: with any password testnap connects fine.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |