The Daily Swig Web security digest

Imperfect 10: Oracle patches critical vulnerability

James Walker | 31 October 2017 at 14:00

‘Easily exploitable’ Identity Manager flaw given maximum CVSS severity rating.

Oracle Corporation has issued a patch that plugs a critical vulnerability affecting the group’s widely-used enterprise identity management system, Oracle Identity Manager.

While the company did not provide full technical details, it warned that the vulnerability (CVE-2017-10151) could result in the complete compromise of Oracle Identity Manager via an unauthenticated network attack.

The flaw was given the maximum CVSS base score of 10, and Oracle urged its customers to update their systems “without delay”.

Part of the Fusion Middleware suite of web-based services, Oracle Identity Manager allows enterprises to manage user access privileges across all of a firm’s resources, and provides a way to implement corporate policies.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this security alert,” Oracle said.

“However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”

According to NIST, the “easily exploitable” vulnerability found in Oracle Identity Manager could also significantly impact additional products.

The emergency patch comes after last month’s regular set of Oracle security updates, which included 252 fixes for critical flaws in the group’s products.