Oracle’s Emergency Patch for Identity Manager

Wednesday, November 1, 2017 @ 03:11 PM gHale


After releasing its quarterly patch not too long ago, Oracle issued an out-of-cycle patch that plugs a critical vulnerability affecting Oracle Identity Manager.

The product is the company’s widely-used enterprise identity management system that is part of the Fusion Middleware offering.

RELATED STORIES
Oracle Patches Vulnerabilities
Oracle Addresses Apache Struts Flaw
Oracle Moves to Boost Cloud Security
Misconfigured Port Opens Door to Attackers

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” the company said in an advisory.

The vulnerability has been assigned CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. It is easily exploitable, and a successful attack requires no human interaction.

Supported affected versions of the product are: 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, and 12.2.1.3.0.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities,” Oracle said.

No additional, specific details about the flaw ended up released.



Leave a Reply

You must be logged in to post a comment.