Security

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score

By Rebecca Hill

6 SHARE

Oracle is urging users of its enterprise identity management system to apply an emergency update to stomp a bug that allows attackers take over the system.

The bug has been given a CVSS score of 10.0 – or critical – and could allow a remote, unauthorised hacker access to systems.

Oracle said the vuln "can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack".

Oracle described the flaw as "easily exploitable". It allows "unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager".

Although the vuln is in the Fusion Middleware component of Oracle Identity Manager, Big Red said that "attacks may significantly impact additional products".

The bug, designated CVE-2017-10151, does not appear to have been included in Big Red's quarterly critical patch update, which was released just over a week ago.

That update contained details of 38 other vulns in Oracle Fusion Middleware.

Oracle said in the latest alert that users should apply the updates provided "without delay".

The company listed supported versions affected as: 11.1.1.7; 11.1.1.9; 11.1.2.1.0; 11.1.2.2.0; 11.1.2.3.0; and 12.2.1.3.0.

Product releases that aren't under premier or extended support aren't tested for the vuln, but Oracle added that it was "likely that earlier versions of affected releases are also affected". ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle cuts ribbon on distributed ledger service

Big Red brags bank backing for blockchain biz

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

CIOs planning to snub Oracle for other cloudy vendors – analyst

Drop for Big Red shares as biz prepares to announce Q4 financial results

Oracle tells court: Boss man Mark Hurd didn't have docs relevant to HPE spat over Solaris

If he did, HPE has to prove he deliberately deleted them

Oracle launches its very own 'net threat map

Pew! Pew! The whole world is connected, and the Internet is super-dangerous

Oracle's new Java SE subs: Code and support for $25/processor/month

Poll Prepare for audit after inevitable change, says Oracle licensing consultant

Oracle wants to improve Linux load balancing and failover

Native to ordinary interfaces, Big Red reckons bonded channels are needed for RDMA

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Terix boss thrown in the cooler for TWO years for peddling pirated Oracle firmware, code patches

Big Red all smiles after black-market support biz bosses jailed