Unauthenticated Vulnerability in Oracle Access Manager of Oracle Fusion Middleware
CVE-2018-2879

9CRITICAL

Key Information:

Vendor
Oracle
Status
Access Manager
Vendor
CVE Published:
19 April 2018

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 44%

Summary

This vulnerability exists within the Oracle Access Manager component of Oracle Fusion Middleware, allowing unauthenticated attackers with network access over HTTP to potentially compromise the authentication mechanisms of Oracle Access Manager. Supported versions affected include 11.1.2.3.0 and 12.2.1.3.0. The implications of this vulnerability can extend beyond Oracle Access Manager, presenting risks for other interconnected systems. Successful exploitation may grant attackers control over the Oracle Access Manager itself, posing significant risks to the integrity and availability of secured resources.

Affected Version(s)

Access Manager 11.1.2.3.0

Access Manager 12.2.1.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

OAMBuster
Created by redtimmy

Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit
Created by MostafaSoliman

oracle-oam-authentication-bypas-exploit
Created by AymanElSherif

References

http://www.securitytracker.com/id/1040695
vdb-entryx_refsource_SECTRACK
https://www.sec-consult.com/en/blog/2018/05/oracle-access...
x_refsource_MISC
http://www.oracle.com/technetwork/security-advisory/cpuap...
x_refsource_CONFIRM

EPSS Score

44% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.