Skip to main content

Oracle Issues Emergency Patch for Remote Takeover Vulnerability

by Chris Brook on Thursday November 2, 2017

Contact Us
Free Demo

Oracle released an out-of-band patch late last week to address a critical remote takeover vulnerability.

Oracle was forced to issue an emergency update late last week to address a nasty vulnerability that garnered a 10 out of 10 score on the CVSS v3 rating system.

If left unpatched the issue could lead to the compromise of the company’s enterprise identity management system, Identity Manager, Oracle warned last Friday. The software also figures into Oracle’s Fusion Middleware. Identity Manager helps users manage and validate user identities across organization resources; it also supplies users with access to enterprise systems.

A note on the vulnerability (CVE-2017-10151) posted by the National Institute of Standards and Technology to its site on Monday warned an unauthenticated attacker with network access via HTTP could compromise OIM and lead to a takeover. Oracle says the vulnerability is easily exploitable and tied to the fact OIM has a default account.

The company's warning says the bug affects versions,,,, and of Identity Manager. The company released a fix for the vulnerability late Friday but news around the bug didn’t really trickle out until Monday, after NIST posted about the CVE to its National Vulnerability Database. 

In its advisory Oracle urged users to apply the updates "without delay."

The fix comes less than two weeks after the company issued its regularly scheduled Critical Patch Update, expected to be its last band of patches until 2018, on October 17. That update resolved 250 vulnerabilities, including three rated 10.0, two in Oracle's Hospitality Reporting and Analytics application and another in its Siebel CRM. The CVSS 3.0, or Common Vulnerability Scoring System, is the industry standard when it comes to assessing the severity of security vulnerabilities; 10.0, or critical severity bugs are the worst of the worst.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.