Forum Discussion

Check1t_282465's avatar
Check1t_282465
Icon for Nimbostratus rankNimbostratus
Oct 31, 2017

Oracle OIM CVE-2017-10151 ASM Mitigation

Could someone please confirm if ASM currently offers or will offer protection against default account logon noted in cve-2017-10151? Thank you.

 

ASM Advanced WAF
security
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Nov 01, 2017

    First of all the patch is already available from Oracle, so instead of trying to protect your OIM using F5 ASM just patch your OIM now.

     

    There is also a workaround (if you don't want to patch for some reason) which involves changing the password of user OIMINTERNAL (as it is a single space by default!!!)

     

    Ref:

     

    https://www.integrigy.com/security-resources/cve-2017-10151-oracle-identity-manager-vulnerability

     

    I am not aware of an ASM Signature which detects this, but it is not that difficult to create a custom one to detect any login attempts with username OIMINTERNAL.

     

    You can also quickly mitigate this vulnerability in your ASM policy by setting the minimum length on the password parameter "pt1:_pt_it2" to 8 characters on URL: "/oim/faces/pages/Login.jspx"

     

    Any attackers trying to login with a password shorter than 8 characters (which includes single space password), ASM will trigger the "Illegal parameter value length" violation (make sure it is set to Block if you want to block)