CVE-2018-2879 - Vulnerability Details

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Oracle	Access Manager

Configuration 1 [-]

OR	cpe:2.3:a:oracle:access_manager:11.1.2.3.0:::::::*
	cpe:2.3:a:oracle:access_manager:12.2.1.3.0:::::::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html
http://seclists.org/fulldisclosure/2019/Apr/28
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.securityfocus.com/bid/103788
http://www.securitytracker.com/id/1040695
https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit
https://seclists.org/bugtraq/2019/Apr/27
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/

History

Thu, 03 Oct 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2018-04-19T02:00:00

Updated: 2024-10-03T20:08:16.990Z

Reserved: 2017-12-15T00:00:00

Link: CVE-2018-2879

Vulnrichment

Updated: 2024-08-05T04:36:38.640Z

NVD

Status : Modified

Published: 2018-04-19T02:29:07.803

Modified: 2024-11-21T04:04:40.597

Link: CVE-2018-2879

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object