A padding oracle vulnerability in Oracle Access Manager (OAM) allows an attacker to decrypt and encrypt certain cryptographic messages. An attacker could craft arbitrary authentication tokens to bypass authentication tokens and impersonate any user account. This security vulnerability completely breaks the main functionality of the OAM product. The security patches from the Oracle CPU (April 2018) have to be applied immediately! An attacker can abuse this vulnerability to log in to any resource protected by the. OAM using any. user account, even administrative accounts!”]
Source: https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-in-oracle-access-manager/