Bob Rudis, Chief Data Scientist at Rapid7 commented below as part of security experts comments series on OAM flaw.
Bob Rudis, Chief Data Scientist at Rapid7:
“A flaw in the way Oracle Access Manager (OAM) authenticates connections was discovered by the security firm SEC Consult and patched in the most recent Oracle security patch release cycle. By crafting a series of URLs, attackers can cause OAM to believe it has received a valid authentication cookie and allow access to protected resources. A secondary feature of the OAM flaw is that this brute-force attack also enables the attacker to impersonate any application user: i.e. anything from a ‘regular user’ to accounts with administrator-level access.
According to the researchers, there are potentially over 11,000 internet-reachable services that — if not patched — are susceptible to this attack. Aggregated data from Rapid7’s Project Sonar, PublicWWW and other sources also show active, vulnerable instances are currently live on the internet.
The danger is not just to internet-connected systems. Because this attack does not require authentication, attackers that gain an entry point into an organisation’s network — say, through a phishing attack — can seek out OAM-protected internal applications and use this vulnerability to gain highly privileged access to any data that the application is designed to process or access.
Thankfully, due to the the noisy, brute-force nature of this attack organisations can monitor their application and web server logs for large numbers of invalid authentication attempts or for a pattern of authentication attempts as seen in the SEC Consult example attack description (https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/#OAMBlogpost-Demo).
Any organisation running OAM 11g and 12c should make patching a priority to avoid becoming a victim of this attack and suffer either a data breach or a data loss event.”
