Security

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score

By Rebecca Hill

6 SHARE

Oracle is urging users of its enterprise identity management system to apply an emergency update to stomp a bug that allows attackers take over the system.

The bug has been given a CVSS score of 10.0 – or critical – and could allow a remote, unauthorised hacker access to systems.

Oracle said the vuln "can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack".

Oracle described the flaw as "easily exploitable". It allows "unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager".

Although the vuln is in the Fusion Middleware component of Oracle Identity Manager, Big Red said that "attacks may significantly impact additional products".

The bug, designated CVE-2017-10151, does not appear to have been included in Big Red's quarterly critical patch update, which was released just over a week ago.

That update contained details of 38 other vulns in Oracle Fusion Middleware.

Oracle said in the latest alert that users should apply the updates provided "without delay".

The company listed supported versions affected as: 11.1.1.7; 11.1.1.9; 11.1.2.1.0; 11.1.2.2.0; 11.1.2.3.0; and 12.2.1.3.0.

Product releases that aren't under premier or extended support aren't tested for the vuln, but Oracle added that it was "likely that earlier versions of affected releases are also affected". ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

New Zealand health boards write down losses on Oracle implementation

End-of-year reports show impairment costs running into millions

Oracle's in-house lawyer denied access to Uncle Sam's procurement docs in JEDI legal battle

You can’t stop the change: Chalk one up to AWS as judge agrees with Big Red's rival

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

What now, Larry? AWS boss insists Amazon will have dumped Oracle database by end of 2019

re:Invent Clock's ticking on Ellison's smack talk

Fed up with Oracle's Sith, AWS wades into Big Red's lawsuit over Pentagon JEDI contract

Long-standing cloud enemies to do battle in the courts

Oracle snaffles up a chunk of SD-WAN market with Talari Networks buyout

As shareholders sign off on Big Red's big pay packet for first time in seven years

Detroit sh*t shifter's operating costs waste away with Oracle's cloud

Sewerage department pinches off big brown puff for Big Red

Firefighters choke on Oracle's alleged smoke-and-mirrors cloud

Pension fund cries fraud over database giant's boasts about its off-prem biz performance