Oracle Access Manager (OAM) Apache Based WebGates Enabling Strict Cookie Name Suffix Generation
(Doc ID 2386892.1)
Last updated on OCTOBER 01, 2021
Applies to:Oracle Access Manager - Version 184.108.40.206.170418 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
This document describes how changes introduced by Oracle Access Manager (OAM) 11g/12c Apache based WebGates Bug fix in the April 2018 Bundle Patch(BP) and above, which may impact an existing Oracle Access Manager deployment.
A WebGate scoped Cookie has the format OAMAuthnCookie_<Host>:<Port> , where the <Host> is populated with the value from the Host header in the HTTP Request. By manipulating the Host Header, it is possible to change the name of the issued cookie. This Cookie name changes do not expose any security vulnerability in Oracle Access Manager 11g/12c, but it allows a malicious actor to degrade the user experience and cause a denial of service.
The bug fix introduces strict verification of the Host Header value against the Web Server Hostname defined in the Web Server configuration. As a result, this is a change in behavior that may cause operational issues.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document