Oracle Identity Manager (OIM) allows companies to manage the entire user life-cycle overall company resources both within and behind a firewall. Within Oracle Identity Management it gives a mechanism for implementing the user-management aspects of a corporate policy.
Oracle Identity Manager is affected by a security issue that enables an unauthenticated attacker with a path to the network to take control of the whole product (Oracle Identity Manager). The security issue exists because there is a default account that can be accessed over HTTP.
The security issue is tracked as CVE-2017-10151 and has a CVSS v3 base score of 10.0, Oracle said that the vulnerability is very easy to exploit and there is no need for any user interaction.
According to Oracle:
Supported versions that are affected are 22.214.171.124, 126.96.36.199, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Oracle strongly advises that users install the updates provided by this Security Alert without any delay because this is a critical vulnerability.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.