A padding oracle vulnerability in Oracle Access Manager (CVE-2018-2879) can be exploited by attackers to bypass authentication and impersonate any user account.
The vulnerability arises from a flawed cryptographic format used by the OAM.
Book a demo today to see GlobalDots is action.
Optimize cloud costs, control spend, and automate for deeper insights and efficiency.

The vulnerability can be exploited to decrypt and encrypt messages used to communicate between the OAM and web servers. The researchers have managed to construct a valid session token and encrypt it, then pass it off as valid to the web server. This allowed them to access protected resources as a user already known to the OAM.
Read more: Help Net Security