Highly Critical Flaw (Cvss Marking 10) Lets Hackers Hijack Oracle Identity Manager

Influenza A virus subtype H5N1 highly critical vulnerability has been discovered inwards Oracle's company identity administration organisation that tin survive easily exploited past times remote, unauthenticated attackers to conduct maintain total command over the affected systems.

The critical vulnerability tracked every bit CVE-2017-10151, has been assigned the highest CVSS score of 10 in addition to is slow to exploit without whatever user interaction, Oracle said inwards its advisory published Mon without revealing many details most the issue.

The vulnerability affects Oracle Identity Manager (OIM) cistron of Oracle Fusion Middleware—an company identity administration organisation that automatically manages users' access privileges inside enterprises.

The safety loophole is due to a "default account" that an unauthenticated assaulter over the same network tin access via HTTP to compromise Oracle Identity Manager.

Oracle has non released consummate details of the vulnerability inwards an endeavor to preclude exploitation inwards the wild, but hither the "default account" could survive a undercover concern human relationship alongside hard-coded or no password.

"This vulnerability is remotely exploitable without authentication, i.e., may survive exploited over a network without requiring user credentials," Oracle's advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 in addition to 12.2.1.3.0.

Oracle has released patches for all versions of its affected products, thus you lot are advised to install the patches before hackers become a jeopardy to exploit the vulnerability to target your enterprise.

"Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided past times this Security Alert without delay," the companionship warned.

Product releases that are non nether Premier Support or Extended Support are non tested for the presence of the vulnerability.

However, Oracle said it was "likely that before versions of affected releases are too affected past times these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions."

The safety piece for this vulnerability comes only most ii weeks later Oracle's regular Critical Patch Update (CPU) for Oct 2017, which patches a total of 252 vulnerabilities inwards its products, including twoscore inwards Fusion Middleware out of which 26 are remotely exploitable without authentication.