Oracle releases emergency Oracle Identity Manager patch

Oracle has issued an out-of-cycle patch that plugs a critical vulnerability (CVE-2017-10151), affecting Oracle Identity Manager, its widely-used enterprise identity management system that is part of the company’s Fusion Middleware offering.

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” the company said.

The vulnerability has been assigned CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. It is easily exploitable, and a successful attack requires no human interaction.

Supported affected versions of the product are: 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, and 12.2.1.3.0.

“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities,” Oracle said, and advised customers to upgrade to supported versions.

No additional, specific details about the flaw were shared, nor was the identity of the person(s) who discovered the flaw, or whether it is being actively exploited in the wild.

The October 2017 Oracle Critical Patch Update provided 40 new security fixes for Oracle Fusion Middleware. The next Oracle CPU is scheduled for 16 January 2018.