Oracle Access Manager 11g R2PS3 (OAM 188.8.131.52) WebGate – Enabling Strict Cookie Name Suffix Generation
(Doc ID 2386892.1)
Last updated on MARCH 03, 2020
Applies to:Oracle Access Manager - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
This document describes how changes introduced by Oracle Access Manager 11g R2PS3 (OAM 220.127.116.11) WebGate bug fix in the April 2018 bundle patch may impact an existing Oracle Access Manager deployment.
A WebGate scoped Cookie has the format OAMAuthnCookie_<Host>:<Port> , where the <Host> is populated with the value from the Host header in the HTTP Request. By manipulating the Host Header, it is possible to change the name of the issued cookie. This Cookie name changes does not expose any security vulnerability in Oracle Access Manager 11g but it allows a malicious actor to degrade the user experience and cause a denial of service.
The bug fix introduces strict verification of the Host Header value against the Web Server Hostname defined in the Web Server configuration. As a result, this is a change in behavior that may cause operational issues.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document