Reuse thanks to:

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

"Oracle Access Manager security bug so serious it let anyone access protected data" (Lian Tung)

Gene Wirchenko <>
Thu, 03 May 2018 09:15:02 -0700
By Liam Tung | May 3, 2018—12:42 GMT (05:42 PDT) | Topic: Security
The moral? Don't roll your own crypto, security researcher tells Oracle.

selected text:

A bug that Oracle recently patched broke the main functionality of Oracle
Access Manager (OAM), which should only give authorized users access to
protected enterprise data.

However, researchers at Austrian security firm SEC-Consult found a flaw in
OAM's cryptographic format that allowed them to create session tokens for
any user, which the attacker could use to impersonate any legitimate user
and access web apps that OAM should be protecting.

"What's more, the session cookie crafting process lets us create a session
cookie for an arbitrary username, thus allowing us to impersonate any user
known to the OAM."

Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse.