• State Suggested Answer
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 12 subscribers
  • Views 1856 views
  • Users 0 members are here
Options
Related

EBS APPS password is visible in Stat OA log file in debug mode

amanda adcock
over 1 year ago

When migrating a SQL Script, the OA log shows the APPS password.

This should not be visible in the log.

Hotfix F didn't completely correct the issue.

  • 0 over 1 year ago

    Hello Amanda,

    Do you mean that the fix mentioned in HF-f

    "EBS APPS password is visible in Stat OA log file addressed with # STAT-5749"

    Is not correcting the issue at all?

    If that is so, I will address this with our Dev Team, and also I would like you to share with me the repercussions of this issue:

    - Risks depending on this password being revealed.

    - Assets involved in this risk.

    - Approximate number of people involved.

    - What would happen if the password is revealed?

    Thank you!

  • 0 over 1 year ago in reply to julio wong

    Amanda, please email us directly and keep this communication in a safer channel.

    Regards,

    JW.

  • 0 over 1 year ago

    Hi Amanda,

    Historically, Stat Agents debug level was used and should still be used by Stat Agents Administrator or on Support request.
    It is intended to track a more detailed level of what the Agents do in order to solve problematic issues.

    On customer request, for Stat operational cycles (Test connection, archive, migration, etc), Dev hides the APPS password in Stat 6.3 HF-f (STAT-5749),
    which is working as expected.

    Differently and regardless of the Stat operational cycles, when the OA starts, Stat performs a full check on the configuration/connection,
    and the APPS password will be ONLY visible if the OA returns an error because something is missed or wrong including a wrong password,
    helping the Stat Administrator to identify and solve the issue quickly. Does it make sense?

  • 0 over 1 year ago in reply to Giovanbattista.Raiano

    Hi Gio,

    Thanks for following up.

    I understand the explanation, however I still don't agree with the reasoning. and would like to see the password removed from the debug log. 

    A couple points to note:

    -  When the password is incorrect, the debug error message already indicates the reason (ex.  Please verify the APPS username and password and listener port and service name in Stat's configuration.  Exception:  ORA-01017: invalid username/password; logon denied).  

    -  When submitting a ticket with Quest Support, the log in debug mode is regularly required.  This continues to present a security issue. 

    -  Internal to our company we have defined roles and the Stat Administrator is not allowed to know the Apps Database password.

  • 0 over 1 year ago in reply to amanda adcock

    I logged the security defect STAT-5974 on your behalf.

    Please, you can review the next Stat 6.3 Hotfixes Release Notes to verify in which one this defect is solved.