Oracle has released a patch for a critical vulnerability affecting Oracle Identity Manager. Unpatched versions of Oracle Identity Manager have a default account that can be accessed over HTTP, and used to take control of the identity manager system. This vulnerability does not require any end user interaction and Oracle has described it as being easily exploitable by threat actors.

 

What you should do:

  • Perform a business impact review and apply Oracle patches immediately.
  • Audit services and remove all default accounts.

 

Additional Information
This vulnerability is tracked as CVE-2017-10151.  On the Common Vulnerability Scoring System (CVSS), this vulnerability is rated 10/10.
Affected versions of Oracle Identity Manager include:

  • 11.1.1.7
  • 11.1.1.9
  • 11.1.2.1.0
  • 11.1.2.2.0
  • 11.1.2.3.0
  • 12.2.1.3.0

 

For more information please visit:

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html

http://www.securityweek.com/oracle-patches-critical-flaw-identity-manager

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?
Talk to us today.
Let's Talk