Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Critical Patch For Oracle's Identity Manager SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Patch For Oracle's Identity Manager

On Friday, Oracle released a critical patch for it's Identity Manager, which is part of Fusion Middleware. The vulnerability patched with this update does affect all current versions of the product, and has a CVSS score of 10. The patch comes just about two weeks after Oracle's regular Critical Patch Update (CPU). 

According to Oracle's summary, the patch secures a default account that can be used to log in via HTTP to take over the system. Once these default credentials become known, exploitation should be trivial.

For details, see Oracle's announcement here:
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!