Oracle Identity Manager Critical Vulnerability

Advisory Version: 1.0
Reference: CVE-2017-10151
CVSS v3: 10.0
Affected software: Oracle Identity Manager
Type: HTTP authentication Vulnerability

Sources

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151...
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10151

Risks

Unauthenticated network access, which may lead to total system compromise.

Summary

An easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager (OIM). While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products relying on OIM for user access control. Successful abuse of this vulnerability can result in the takeover of Oracle Identity Manager.

Affected Versions

Oracle Identity Manager, versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, 12.2.1.3.0

Recommended action

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by the Security Advisory referenced in the sources of this document without delay.