Oracle Access Manager 11g/12c: CVE-2018-2879
(Doc ID 2386496.1)
Last updated on JULY 08, 2020
Applies to:Oracle Access Manager - Version 220.127.116.11.0 to 18.104.22.168.180116 [Release 11g]
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
This document describes the fix for a security vulnerability reported against Oracle Access Manager (OAM). Remediation requires applying the April 2018 CPU (or later) for the Server and WebGate followed by a Server side configuration update to enable the fix.
This vulnerability affects all supported version of Oracle Access Manager deployed with WebGate Agents. It does not affect other supported Agent types such as Oracle SSO (mod_sso) and OpenSSO Agents.
A response to this security vulnerability requires applying both the Oracle Access Manager (OAM) Server and WebGate April 2018 (or later) Critical Patch Update (CPU). In addition, we strongly recommend active monitoring of your deployment for potential signs of this vulnerability being exploited.
Detection requires monitoring the following Oracle Access Manager diagnostic mechanisms:
1. Server logs
For more details on logging in 11gR2PS3, please refer to
Configuring Logging for Access Manager
2. Performance Metrics
For more details on performance metrics in 11gR2PS3, please refer to
Note: For other versions of OAM, please refer to the version specific OAM Admin Guide.
Start by monitoring the Server logs for the following patterns:
Pattern in log file
java.lang.RuntimeException: Obrareq query string integrity check failed at oracle.security.am.proxy.oam.pbl.plugin.OAMProxyEngine.handleOAMLoginRequest
oracle.security.am.common.utilities.exception.AmRuntimeException: NAPException in parsing the Obrareq request
oracle.security.am.common.exceptions.NAPException: Exception in decryption
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
When the velocity of the pattern occurrence increases in a short time interval, please review the OAMLoginRequest.active and OAMLoginResponse.active DMS metrics.
When the OAMLoginRequest counts go up much faster than the OAMLoginResponse count and this can be correlated with a similar increase in the velocity of the patterns in the log file emanating from a single or small # of source IP Address(es), a defensive response to mitigate the risk would be to throttle/block the source IP Address(es).
Note: Source IP Address of a request is not captured in the OAM Server logs but can be determined by looking at the Access Logs for the Web Tier component.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|Currently Available WebGate/ASDK Patches|
|OAM Server Compatibility Patch for pre-22.214.171.124 Webgates|
|OAM Server (Both ECC and DCC)|
|The following is the process to introduce/update the flag value in an OAM 12c environment:|
|The following is the process to introduce/update the flag value in an OAM 11g environment:|