Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: Critical Patch For Oracle's Identity Manager - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Patch For Oracle's Identity Manager

On Friday, Oracle released a critical patch for it's Identity Manager, which is part of Fusion Middleware. The vulnerability patched with this update does affect all current versions of the product, and has a CVSS score of 10. The patch comes just about two weeks after Oracle's regular Critical Patch Update (CPU). 

According to Oracle's summary, the patch secures a default account that can be used to log in via HTTP to take over the system. Once these default credentials become known, exploitation should be trivial.

For details, see Oracle's announcement here:
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Defending Web Applications Security Essentials - Secure DevOps Summit & Training 2018

Johannes

3372 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!