Oracle released an emergency fix for a highly critical vulnerability found in its widely-used enterprise identity management system that allows an attacker to access enterprise software remotely without authentication. Tracked as CVE-2017-10151, the flaw in Oracle Identity Manager was issued a CVSS score of 10, which is the most severe vulnerability rating.
It was discovered that an unauthenticated attacker with network access via HTTP could compromise Oracle Identity Manager, which makes it easier to exploit. Further findings also suggest that attacks may significantly impact other products.
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” the company said in an advisory. Oracle also told customers that patches released through its Security Alert program are provided only for product versions covered under the Premier Support or Extended Support phases of its Lifetime Support Policy.
Affected versions of Oracle Identity Manager are as follows:
Oracle Identity Manager is a system that helps enterprises manage the identities and access privileges of their customers, business partners, and employees. It also allows enterprises to set up delegated administrators, who are users empowered to manage the identities, passwords, password policies, and access of other users.
As of writing, no further details were shared on who discovered the flaw or whether the vulnerability is being exploited in the wild.
Oracle just patched a total of 252 vulnerabilities in the company's quarterly patch update on October 18. Fixes for Oracle Fusion Middleware, Oracle Hospitality, Oracle MySQL, PeopleSoft, and Java were released to resolve problems that range from remote code execution bugs to SQL injection vulnerabilities. The next scheduled Oracle patch update is expected to be rolled out on January 16, 2018.
Trend Micro Solutions
Trend Micro™ TippingPoint™ provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. Trend Micro™ Deep Security™ and Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit vulnerabilities even without an engine or pattern update.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.