Skip to content
Multithreaded Padding Oracle Attack on Oracle OAM (CVE-2018-2879)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Aug 6, 2019 Critical bug fix Aug 6, 2019


Multithreaded Padding Oracle Attack on Oracle OAM (CVE-2018-2879)


Red Timmy (Marco Ortisi, Stefan Broeder, Ahmad Mahfouz)


This multithreaded exploit was developed to greatly increase the speed of the attack as compared to the single threaded version. For more information about the technical details of the attack, see this blog post by SEC Consult:

Screenshot of OAMBuster

The first two stages will quickly verify whether the website is vulnerable to the attack. Stage 3 will launch the multithreaded Padding Oracle attack.

More information

Please adjust the valid_padding() function to catch the error that is returned from a padding failure in your environment.

For more information about the exploit and our trainings on advanced Java attacks, see

You can’t perform that action at this time.