CVE-2012-0518

What is Oracle Application Server Single Sign-On?

Oracle Application Server Single Sign-On (OracleAS SSO) is an authentication service in Oracle Fusion Middleware that provides centralized login for Oracle web applications. When a user attempts to access a protected application, they are redirected to the SSO login page, authenticate, and are then redirected back to the original application. The redirect URL is typically passed as a parameter in the SSO login URL. Oracle AS SSO is deployed in enterprise environments to unify authentication across Oracle E-Business Suite, Oracle Portal, Oracle WebCenter, and other Oracle applications.

Overview

CVE-2012-0518 is an open redirect vulnerability (CWE-601) in the Oracle Application Server Single Sign-On component of Oracle Fusion Middleware. The SSO server accepts a redirect URL parameter without proper validation, allowing an attacker to craft a login URL that appears to originate from a trusted Oracle SSO server but redirects the victim to an attacker-controlled phishing site after authentication.

The CVSS Scope: Changed (S:C) rating reflects that the impact extends beyond the vulnerable Oracle SSO component itself — the attacker can redirect users to entirely external systems.

Oracle patched this vulnerability in the October 2012 Critical Patch Update.

Affected Versions

Technical Details

Open redirect (CWE-601) occurs when a web application accepts a user-supplied URL and redirects to it without validating that the destination is a trusted location. In the Oracle AS SSO context:

1. An attacker crafts a URL to the Oracle SSO login page with a forged return_url parameter pointing to a phishing site: https://sso.company.com/login?return_url=https://attacker.com/phish
2. The victim clicks the link — the URL appears to belong to the trusted sso.company.com domain
3. The victim authenticates normally at the real Oracle SSO login page
4. After authentication, the SSO server redirects the victim to https://attacker.com/phish instead of a legitimate application
5. The attacker's phishing page harvests credentials, session tokens, or other sensitive information

The "Unspecified vulnerability" Oracle advisory language is typical of Oracle's security advisories, which historically provide minimal technical detail.

Discovery

The vulnerability was identified through security research and reported to Oracle through their coordinated vulnerability disclosure process, resulting in inclusion in the October 2012 CPU.

Exploitation Context

CISA confirmed exploitation in the wild. Open redirect vulnerabilities are particularly effective in enterprise Oracle environments because:

• Users are conditioned to click Oracle SSO login URLs sent by IT or application teams
• The redirect URL appears to originate from the trusted Oracle SSO domain, making phishing highly convincing
• Successful phishing of enterprise credentials provides access to the full Oracle application suite protected by that SSO instance

Remediation

1. Apply the October 2012 Oracle CPU or any subsequent CPU that includes this fix
2. Stay current on Oracle Critical Patch Updates — Oracle releases CPUs quarterly; apply within the quarter they are issued
3. Implement server-side redirect validation that restricts the return_url parameter to a predefined allowlist of trusted application URLs
4. Deploy email security controls to detect and block links to Oracle SSO URLs with suspicious redirect parameters
5. Consider Oracle AS SSO product lifecycle — if the SSO component is end-of-life, migrate to Oracle Access Manager or a modern identity provider (IdP)