10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score

By Rebecca Hill

Posted in Security, 30th October 2017 17:32 GMT

Oracle is urging users of its enterprise identity management system to apply an emergency update to stomp a bug that allows attackers take over the system.

The bug has been given a CVSS score of 10.0 – or critical – and could allow a remote, unauthorised hacker access to systems.

Oracle said the vuln "can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack".

Oracle described the flaw as "easily exploitable". It allows "unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager".

Although the vuln is in the Fusion Middleware component of Oracle Identity Manager, Big Red said that "attacks may significantly impact additional products".

The bug, designated CVE-2017-10151, does not appear to have been included in Big Red's quarterly critical patch update, which was released just over a week ago.

That update contained details of 38 other vulns in Oracle Fusion Middleware.

Oracle said in the latest alert that users should apply the updates provided "without delay".

The company listed supported versions affected as: 11.1.1.7; 11.1.1.9; 11.1.2.1.0; 11.1.2.2.0; 11.1.2.3.0; and 12.2.1.3.0.

Product releases that aren't under premier or extended support aren't tested for the vuln, but Oracle added that it was "likely that earlier versions of affected releases are also affected". ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

Oracle open-sources DTrace under the GPL

Which makes lots of sysadmins' fave tracing tool cool for Linux

Rimini Street attempts to claw back more cash in Oracle copyright dispute

Support biz files court petition to recover additional $32m

Oracle slurps bot-wrangling security minnow Zenedge

Buy price not revealed

This Valentine's day Oracle's given you 12 big red data centres

Flowering fleet will still trail Azure and AWS

US appeals court trims $50m off Oracle's take in Rimini Street law battle

Database giant happy as Larry that copyright infringement ruling allowed to stand, though

Oracle's Safra Catz joins Mickey Mouse board

It's a small world after all

Oracle: We've stuffed automation in 'pretty much' all our services

Firm in mega cloud tech push