A highly critical vulnerability has been discovered in Oracle’s enterprise identity management system that can be easily exploited by remote, unauthenticated attackers to take full control over the affected systems.
The critical vulnerability tracked as CVE-2017-10151, has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction, Oracle said in its advisory published Monday without revealing many details about the issue.
The vulnerability affects Oracle Identity Manager (OIM) component of Oracle Fusion Middleware—an enterprise identity management system that automatically manages users’ access privileges within enterprises.
The security loophole is due to a « default account » that an unauthenticated attacker over the same network can access via HTTP to compromise Oracle Identity Manager.
Oracle has not released complete details of the vulnerability in an effort to prevent exploitation in the wild, but here the « default account » could be a secret account with hard-coded or no password.
« This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials, » Oracle’s advisory reads.
To read the original article:
https://thehackernews.com/2017/10/oracle-identity-manager.html