Oracle pushed out an emergency update for a bug in Oracle Identity Manager that is as bad as it gets.
Scoring a 10 on the CVSS scale, the vulnerability, CVE-2017-10151, enables an attacker to remotely take over the software without the need for authentication.
“While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products,” according to an advisory published on NIST’s National Vulnerability Database.
Oracle Identity Manager oversees user access privileges to enterprise resources, workflow and task management. It is one of dozens of components in the Oracle Fusion Middleware suite of web-based services. Versions 22.214.171.124, 126.96.36.199, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168.0 are affected, Oracle said.
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” Oracle said in its advisory.
Oracle said the vulnerability is “easily exploitable,” and should be addressed immediately.
“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert,” Oracle said. “However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”
Oracle’s most recent quarterly Critical Patch Update was released on Oct. 17, but this vulnerability was not listed in the update. Oracle has not released any further details on the type of vulnerability affecting the product, when it was disclosed, or by whom.
The Oct. 17 CPU included patches for 250 vulnerabilities with Fusion Middleware the hardest hit with 38 fixes, including one for a 2016 remote code execution bug in Oracle Identity Manager unrelated to this bug.
According to ERPScan, Oracle patched 1,119 bugs this year compared to 914 last year and 614 in 2015, the highest annual total ever.