Oracle scores ten out of ten - for a critical security flaw in Oracle Identity Manager

Patch without delay, urges Oracle

Cyber crooks are tapping into a recently identified vulnerability in Oracle's Identity Manager that allows them to take full control of the application remotely.

The vulnerability, which has a CVSS v3 base score of 10.0, can result in "complete compromise" of Oracle Identity Manager as a result of an unauthenticated attack.

Oracle released an advisory statement on Monday in an attempt to address the flaw, although it failed to give users full details about the issue or potential side-effects.

However, it's clear that cyber criminals are able to take full control of the Identity Manager with little user interaction and from anywhere in the world.

Oracle Identity Manager is a crucial part of the company's Fusion Middleware. The latter is an identity management system that lets enterprises manages user access.

The company said the exploit affects many versions of Identity Manager, including 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Although Ocracle is attempting to protect complete details of the vulnerability from cyber criminals, it's thought that the issue involves a "default account" that attackers can use via HTTP to compromise the app.

Attackers are able to get into the platform without passwords, Oracle said. "This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials."

Writing in an advisory, the company explained that it is in the process of releasing patches to fix all versions of the affected product. Users have been advised to install them as a matter of urgency.

"Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay," the company advised.

It continued: "Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy.

"We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

It added: "Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert.

"However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions

Oracle explained that earlier versions are likely to be affected too, and it recommends that customers upgrade to newer software to stay protected from hackers. This security patch follows Oracle's regular Critical Patch Update (CPU), which came out two weeks ago.