Oracle Access Manager is a terrible doorman: Get patching this bug
Security tool can be gamed to let any old riffraff into data
A security vulnerability in Oracle Access Manager leaves the network authentication tool leaning more toward "access" than "manager."
The flaw, classified as CVE-2018-2879, can be exploited by a remote attacker to bypass an Oracle Access Manager (OAM) authentication screen and, in the process, take over the account of any user or administrator on a vulnerable system.
Designed to manage remote connections to cloud and mobile apps via a single sign-on page, with multi-factor authentication, OAM is offered by Oracle as a part of the security and administration tools for its middleware and PaaS platforms.
According to researcher Wolfgang Ettlinger of SEC Consult Vulnerability Lab, a miscreant can exploit a flaw in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in as someone else. Specifically, a padding oracle attack can, ultimately, disclose an account's authorization cookie.
An attacker properly gaming the OAM flaw would then be able to create and execute a script that generates valid login keys for any desired user, including administration accounts. From there, the attacker is able to simply write their own login credentials and take complete control over OAM.
"An attacker can abuse this vulnerability to log in to any resource protected by the OAM using any user account, even administrative accounts," Ettlinger explains.
"This security vulnerability completely breaks the main functionality of the OAM product."
Fortunately, there is already a solution in place. Ettlinger said his company contacted Oracle about the flaw and the enterprise software giant was able to slip a fix for the vulnerability into its April security updates.
As Oracle's patch is the only known way to address the flaw, it is recommended that administrators make sure they have that update applied. Versions 188.8.131.52.0 and 184.108.40.206.0 and earlier are still vulnerable. Even then, Ettlinger notes, that this flaw was even present is not a very good sign.
"Since the vulnerability was found in such a central component of the OAM, we suspect that an insufficient amount of attention has been given to information security," Ettlinger notes.
"Given the central position in an organization's security infrastructure, we recommend Oracle's customers either conduct a full audit of the component or request the results of such audits from Oracle." ®