VULNERABILITIES EXPOSE ORACLE OAM 10G TO REMOTE SESSION HIJACKING
Oracle’s next quarterly Critical Patch Update is slated for July 18, but
two vulnerabilities in an older version of the company’s Oracle Access
Manager (OAM) solution won’t be among the bugs patched.
Version 10g of the software, Oracle’s solution for web access management and user administration, suffers from two issues: an open redirect vulnerability, and the fact that it sends cookie values in GET requests.
The software features a proprietary multiple network domain SSO capability. Critical to that is ObSSOCookie, a super cookie of sorts. If a user was tricked into clicking through a link via phishing email, for example, and logging into the OAM portal, a remote attacker could read that cookie value and hijack that session, Nabeel Ahmed and Tom Gilis, security researchers based in Belgium warned on Monday.
Ahmed, a senior security assessment consultant at the security firm Dimension Data Belgium, said he and Gilis combed through 100 “high profile domains” running OAM 10g. Only one of the sites was adequately protected against the attack. Ahmed and Gilis discovered the vulnerability while performing a penetration testing assessment for a client earlier this spring.
