Oracle has released a patch for a critical vulnerability affecting Oracle Identity Manager. Unpatched versions of Oracle Identity Manager have a default account that can be accessed over HTTP and used to take control of the identity management system. This vulnerability does not require any end-user interaction and Oracle has described it as being easily exploitable by threat actors.
What you should do:
- Perform a business impact review and apply Oracle patches immediately.
- Audit services and remove all default accounts.
This vulnerability is tracked as CVE-2017-10151. On the Common Vulnerability Scoring System (CVSS), this vulnerability is rated 10/10.
Affected versions of Oracle Identity Manager include:
For more information please visit: