OAM 11.1.2.0 / 11.1.2.1 Change Password page does not validate Old Password (Doc ID 1635474.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.0.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Access Manager (OAM) 11.1.2.0 or 11.1.2.1 has been configured to use the OAM Password Plugin for password management.

When a user is redirected to the OAM Change Password page to change their password e.g. for first time logins or users with passwords reset, any value can be entered for Old Password. The Old Password value submitted is not validated.

Steps to reproduce

1. In a new browser session, access a resource protected by the OAM Release 2 (R2) Password Plugin.
2. The OAM SSO login page is displayed.
3. User submits valid credentials.
4. OAM validates the credentials but the user entry has obpasswordchangeflag=true or obpasswordcreationdate > password lifetime so OAM redirects the user to the OAM Change Password page.
5. User submits any value for Old Password, and a New Password value that conforms to password policy requirements.
6. The user's password is successfully changed.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms