Articles

Highly Critical Flaw (CVSS Score 10) Lets Hackers Hijack Oracle Identity Manager

Oracle Identity Manager (OIM) allows companies to manage the entire user life-cycle overall company resources both within and behind a firewall. Within Oracle Identity Management it gives a mechanism for implementing the user-management aspects of a corporate policy.

Oracle Identity Manager is affected by a security issue that enables an unauthenticated attacker with a path to the network to take control of the whole product (Oracle Identity Manager). The security issue exists because there is a default account that can be accessed over HTTP.

The security issue is tracked as CVE-2017-10151 and has a CVSS v3 base score of 10.0, Oracle said that the vulnerability is very easy to exploit and there is no need for any user interaction.

According to Oracle:
Supported versions that are affected are 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Oracle strongly advises that users install the updates provided by this Security Alert without any delay because this is a critical vulnerability.