Oracle Access Manager security bug so serious it let anyone access protected data

The moral? Don't roll your own crypto, security researcher tells Oracle.
Written by Liam Tung, Contributing Writer

Video: Oracle urges customers to install latest patch: It fixes 254 vulnerabilities.

A bug that Oracle recently patched broke the main functionality of Oracle Access Manager (OAM), which should only give authorized users access to protected enterprise data.

OAM provides an authentication function for web applications based on Oracle Fusion Middleware. It can be used to provide and block access to external mobile and cloud applications.

However, researchers at Austrian security firm SEC-Consult found a flaw in OAM's cryptographic format that allowed them to create session tokens for any user, which the attacker could use to impersonate any legitimate user and access web apps that OAM should be protecting.

As SEC-Consult explains, OAM-protected web servers feature an authentication component called an Oracle WebGate.

When users attempt to access a protected resource from the web server, they're bumped across to an OAM page to enter a username and password. If successful, they're redirected back to the web application and can log in using an encrypted authentication token that's stored in a browser cookie.

However, a flaw in OAM's custom cryptographic format allowed SEC-Consult researcher Wolfgang Ettlinger to use a padding oracle attack to decrypt the authentication token.

"We found that a cryptographic format used by the OAM exhibits a serious flaw," explained Ettlinger.

"By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources.

"What's more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM."

Oracle Fusion Middleware 11g and 12c were affected by the vulnerability in the OAM authentication engine, which is tracked as CVE-2018-2879 and got a CVSS v3 score of 9.0 out of a possible 10 in Oracle's April critical patch update.

Ettlinger said there are two lessons to be drawn from the bug: "You do not roll your own crypto" and "You DO NOT roll your own crypto".

"Cryptography is very hard to get exactly right. Even when using standard implementations of algorithms, it is challenging to design a proper cryptographic format or protocol," he wrote.

"Quite often, seemingly secure implementations can exhibit serious vulnerabilities -- and that goes way beyond the rather well-known padding oracle attack that was demonstrated here," he wrote."

Previous and related coverage

Oracle critical update fixes 254 flaws -- so get patching now

Fixes for vulnerabilities spread across 20 products and a Solaris patch that addresses the Spectre processor flaw.

Oracle Solaris patch theft lands IT-support CEO in jail for two years

Oracle is happy that Terix's CEO is being jailed and fined $100,000.

Meltdown-Spectre: Oracle's critical patch update offers fixes against CPU attacks

The enterprise software giant is working on Spectre fixes for Solaris on Sparc V9.

Oracle pushes emergency patch for critical Tuxedo server vulnerabilities

Two of the vulnerabilities have achieved a rating of 10 and 9.9 in severity.

Editorial standards