Oracle Issues Emergency Patch for Remote Takeover Vulnerability
Oracle released an out-of-band patch late last week to address a critical remote takeover vulnerability.
Oracle was forced to issue an emergency update late last week to address a nasty vulnerability that garnered a 10 out of 10 score on the CVSS v3 rating system.
If left unpatched the issue could lead to the compromise of the company’s enterprise identity management system, Identity Manager, Oracle warned last Friday. The software also figures into Oracle’s Fusion Middleware. Identity Manager helps users manage and validate user identities across organization resources; it also supplies users with access to enterprise systems.
A note on the vulnerability (CVE-2017-10151) posted by the National Institute of Standards and Technology to its site on Monday warned an unauthenticated attacker with network access via HTTP could compromise OIM and lead to a takeover. Oracle says the vulnerability is easily exploitable and tied to the fact OIM has a default account.
The company's warning says the bug affects versions 18.104.22.168, 22.214.171.124, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0 of Identity Manager. The company released a fix for the vulnerability late Friday but news around the bug didn’t really trickle out until Monday, after NIST posted about the CVE to its National Vulnerability Database.
In its advisory Oracle urged users to apply the updates "without delay."
The fix comes less than two weeks after the company issued its regularly scheduled Critical Patch Update, expected to be its last band of patches until 2018, on October 17. That update resolved 250 vulnerabilities, including three rated 10.0, two in Oracle's Hospitality Reporting and Analytics application and another in its Siebel CRM. The CVSS 3.0, or Common Vulnerability Scoring System, is the industry standard when it comes to assessing the severity of security vulnerabilities; 10.0, or critical severity bugs are the worst of the worst.