VULNERABILITIES EXPOSE ORACLE OAM 10G TO REMOTE SESSION HIJACKING

VULNERABILITIES EXPOSE ORACLE OAM 10G TO REMOTE SESSION HIJACKING

By | July 12th, 2017
No Comments on VULNERABILITIES EXPOSE ORACLE OAM 10G TO REMOTE SESSION HIJACKING

Oracle’s next quarterly Critical Patch Update is slated for July 18, but

two vulnerabilities in an older version of the company’s Oracle Access

Manager (OAM) solution won’t be among the bugs patched.


														
							

Version 10g of the software, Oracle’s solution for web access management and user administration, suffers from two issues: an open redirect vulnerability, and the fact that it sends cookie values in GET requests.

The software features a proprietary multiple network domain SSO capability. Critical to that is ObSSOCookie, a super cookie of sorts. If a user was tricked into clicking through a link via phishing email, for example, and logging into the OAM portal, a remote attacker could read that cookie value and hijack that session, Nabeel Ahmed and Tom Gilis, security researchers based in Belgium warned on Monday.

Ahmed, a senior security assessment consultant at the security firm Dimension Data Belgium, said he and Gilis combed through 100 “high profile domains” running OAM 10g. Only one of the sites was adequately protected against the attack. Ahmed and Gilis discovered the vulnerability while performing a penetration testing assessment for a client earlier this spring.

Source

Google
Nisheeth Bhakuni