My Oracle Support Banner

Oracle Access Manager 11g R2PS3 (OAM 11.1.2.3) WebGate – Enabling Strict Cookie Name Suffix Generation (Doc ID 2386892.1)

Last updated on MARCH 03, 2020

Applies to:

Oracle Access Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.



Purpose

This document describes how changes introduced by Oracle Access Manager 11g R2PS3 (OAM 11.1.2.3) WebGate bug fix in the April 2018 bundle patch may impact an existing Oracle Access Manager deployment.

A WebGate scoped Cookie has the format OAMAuthnCookie_<Host>:<Port> , where the <Host> is populated with the value from the Host header in the HTTP Request. By manipulating the Host Header, it is possible to change the name of the issued cookie. This Cookie name changes does not expose any security vulnerability in Oracle Access Manager 11g but it allows a malicious actor to degrade the user experience and cause a denial of service.

The bug fix introduces strict verification of the Host Header value against the Web Server Hostname defined in the Web Server configuration. As a result, this is a change in behavior that may cause operational issues.

Scope

 

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
Scope
Details
 Known Issues

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.