OIDDAS With Oracle Access Manager 11g (OAM 11.1.2.2.x), "Manage My Password" Function Allows Incorrect Old Password (Doc ID 2215734.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.1.0 and later
Information in this document applies to any platform.

Symptoms

OIDDAS With Oracle Access Manager 11g (OAM 11.1.2.2.x), "Manage My Password" Function Allows Incorrect Old Password

Using OIDDAS, "manage my password" function allows user's to change their password while supplying any value for the New Password Field


Steps to Reproduce:

1. Access and log into the OIDDAS application
http://oamserver.domain:7779/oiddas/

2. Select login

3. login as orcladmin/welcome1

4. Navigate to My profile, Manage My Password

5. For old password entered an invalid password ...bozo1
New Password and confirm password = welcome2

6. submit ... Password was successfully Changed

7. logout, clear browser cache and cookies ...

8. Access and log into the OIDDAS application
http://oamserver.domain:7779/oiddas/

9. Select login

10. login as orcladmin/welcome2 ... and authn was successful

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms