My Oracle Support Banner

Oracle Access Manager 11g/12c: CVE-2018-2879 (Doc ID 2386496.1)

Last updated on FEBRUARY 03, 2022

Applies to:

Oracle Access Manager - Version to [Release 11g]
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.


This document describes the fix for a security vulnerability reported against Oracle Access Manager  (OAM). Remediation requires applying the April 2018 CPU (or later) for the Server and WebGate followed by a Server side configuration update to enable the fix.

This vulnerability affects all supported version of Oracle Access Manager deployed with WebGate Agents. It does not affect other supported Agent types such as Oracle SSO (mod_sso) and OpenSSO Agents.


A response to this security vulnerability requires applying both the Oracle Access Manager (OAM) Server and WebGate April 2018 (or later) Critical Patch Update (CPU). In addition, we strongly recommend active monitoring of your deployment for potential signs of this vulnerability being exploited.

Detection requires monitoring the following Oracle Access Manager diagnostic mechanisms:

1. Server logs
 For more details on logging in 11gR2PS3, please refer to
Configuring Logging for Access Manager 

2. Performance Metrics
 For more details on performance metrics in 11gR2PS3, please refer to
Performance Monitoring 

Note: For other versions of OAM, please refer to the version specific OAM Admin Guide.

Start by monitoring the Server logs for the following patterns:


 Pattern in log file 


 java.lang.RuntimeException: Obrareq query string integrity check failed at   

 2 NAPException in parsing the Obrareq request
     at by: Exception in decryption

 Caused by: javax.crypto.BadPaddingException: Given final block not properly padded 


When the velocity of the pattern occurrence increases in a short time interval, please review the and DMS metrics.

When the OAMLoginRequest counts go up much faster than the OAMLoginResponse count and this can be correlated with a similar increase in the velocity of the patterns in the log file emanating from a single or small # of source IP Address(es), a defensive response to mitigate the risk would be to throttle/block the source IP Address(es).

Note: Source IP Address of a request is not captured in the OAM Server logs but can be determined by looking at the Access Logs for the Web Tier component.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Currently Available WebGate/ASDK Patches
 OAM Server Compatibility Patch for pre- Webgates
 OAM Server (Both ECC and DCC)
 The following is the process to introduce/update the flag value in an OAM 12c environment:
 The following is the process to introduce/update the flag value in an OAM 11g environment:
 DCC Webgates
 Resource Webgates
 ASDK Applications
 Related Issues
 Known Issues

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.