- The Role Of AI In Cybersecurity – Boon Or Bane?
- Less Than Half Of Cybersecurity Professionals Have A Plan In Place To Deal With IoT Attacks: Study
- Cyberattacks Go Up For Small Businesses Over The Past Year: Study
- Phishing And Credential Stuffing Attacks Remain Top Threat To Financial Services Organizations And Customers: Study
- IT-Based Attacks Increasingly Impacting OT Systems: Study
VULNERABILITIES EXPOSE ORACLE OAM 10G TO REMOTE SESSION HIJACKING
By Nisheeth Bhakuni | July 12th, 2017
Oracle’s next quarterly Critical Patch Update is slated for July 18, but
two vulnerabilities in an older version of the company’s Oracle Access
Manager (OAM) solution won’t be among the bugs patched.
Version 10g of the software, Oracle’s solution for web access management and user administration, suffers from two issues: an open redirect vulnerability, and the fact that it sends cookie values in GET requests.
The software features a proprietary multiple network domain SSO capability. Critical to that is ObSSOCookie, a super cookie of sorts. If a user was tricked into clicking through a link via phishing email, for example, and logging into the OAM portal, a remote attacker could read that cookie value and hijack that session, Nabeel Ahmed and Tom Gilis, security researchers based in Belgium warned on Monday.
Ahmed, a senior security assessment consultant at the security firm Dimension Data Belgium, said he and Gilis combed through 100 “high profile domains” running OAM 10g. Only one of the sites was adequately protected against the attack. Ahmed and Gilis discovered the vulnerability while performing a penetration testing assessment for a client earlier this spring.
Nisheeth Bhakuni
