Security advisories | Feb 26, 2019

Oracle Identity Manager Vulnerability

Oracle has released a patch for a critical vulnerability affecting Oracle Identity Manager. Unpatched versions of Oracle Identity Manager have a default account that can be accessed over HTTP and used to take control of the identity management system. This vulnerability does not require any end-user interaction and Oracle has described it as being easily exploitable by threat actors.

What you should do:

  • Perform a business impact review and apply Oracle patches immediately.
  • Audit services and remove all default accounts.

Additional Information
This vulnerability is tracked as CVE-2017-10151. On the Common Vulnerability Scoring System (CVSS), this vulnerability is rated 10/10.
Affected versions of Oracle Identity Manager include:

  • 11.1.1.7
  • 11.1.1.9
  • 11.1.2.1.0
  • 11.1.2.2.0
  • 11.1.2.3.0
  • 12.2.1.3.0

For more information please visit:

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html

http://www.securityweek.com/oracle-patches-critical-flaw-identity-manager