Oracle pushes out emergency fix for remote system hijack vulnerability
Oracle has broken its usual quarterly Critical Patch Update (CPU) cycle to release an emergency fix for a vulnerability which allows attackers to access enterprise software remotely without authentication.
The vulnerability, CVE-2017-10151, can result in a "complete compromise of Oracle Identity Manager via an unauthenticated network attack," according to the company.
The bug has been issued a CVSS score of 10, the highest in severity possible.
Attackers can remotely take over the software without prior authentication, and so no valid user account credentials are required. Connections to vulnerable software can be made over HTTP.
According to NIST, the vulnerability is "easily exploitable"
Oracle Identity Manager is a component found in Oracle Identity Management which manages and validates user identities and access to enterprise systems.
The bug impacts Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, and 12.2.1.3.0.
However, Oracle says that products which are not under Product Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by the advisory, and "it is likely that earlier versions of affected releases are also affected by these vulnerabilities."
"While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products," NIST says.
Oracle has implored IT admins to apply the patch "without delay" due to the severity of the issue.
The next Oracle patch update outside of emergency fixes is expected to land on January 16, 2018.