Emergency Oracle Patch Closes Bug Rated 10 in Severity

Oracle pushed out an emergency update for a bug in Oracle Identity Manager that is as bad as it gets.

Scoring a 10 on the CVSS scale, the vulnerability, CVE-2017-10151, enables an attacker to remotely take over the software without the need for authentication.

“While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products,” according to an advisory published on NIST’s National Vulnerability Database.

Oracle Identity Manager oversees user access privileges to enterprise resources, workflow and task management. It is one of dozens of components in the Oracle Fusion Middleware suite of web-based services. Versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0 are affected, Oracle said.

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” Oracle said in its advisory.

Oracle said the vulnerability is “easily exploitable,” and should be addressed immediately.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert,” Oracle said. “However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”

Oracle’s most recent quarterly Critical Patch Update was released on Oct. 17, but this vulnerability was not listed in the update. Oracle has not released any further details on the type of vulnerability affecting the product, when it was disclosed, or by whom.

The Oct. 17 CPU included patches for 250 vulnerabilities with Fusion Middleware the hardest hit with 38 fixes, including one for a 2016 remote code execution bug in Oracle Identity Manager unrelated to this bug.

According to ERPScan, Oracle patched 1,119 bugs this year compared to 914 last year and 614 in 2015, the highest annual total ever.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!