By Liam Tung | May 3, 2018—12:42 GMT (05:42 PDT) | Topic: Security
The moral? Don't roll your own crypto, security researcher tells Oracle.
A bug that Oracle recently patched broke the main functionality of Oracle
Access Manager (OAM), which should only give authorized users access to
protected enterprise data.
However, researchers at Austrian security firm SEC-Consult found a flaw in
OAM's cryptographic format that allowed them to create session tokens for
any user, which the attacker could use to impersonate any legitimate user
and access web apps that OAM should be protecting.
"What's more, the session cookie crafting process lets us create a session
cookie for an arbitrary username, thus allowing us to impersonate any user
known to the OAM."