Need Patch For Fixing Issue With "Broken Session & Session Management"
(Doc ID 2547599.1)
Last updated on NOVEMBER 29, 2019
Applies to:Oracle Commerce Platform - Version 11.1 and later
Information in this document applies to any platform.
On : 11.1 version, Application Framework (Repositories, APIs, Core Services)
Need patch for fixing issue with "Broken Session & Session Management"
In the case where an attacker was able to successfully log into a user's account, even if the password was changed by the actual user, the attacker would continue to have access to a user's account until the session expired.
To replicate, use two browsers:
Browser 1: Sign into valid account, capture JSESSIONID
Browser 2: Sign into same account, observe the different JSESSIONID used
Browser 2: Go to profile and change password
Browser 1: Even though password has changed, user continues to have access to the account information and is able to browse as a signed-in user, though the account password has changed.
We want to know if there is any patch (either in Oracle commerce or weblogic) available to invalidate all existing user sessions across app server cluster once password is changed.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document