Oracle has released patches for a security issue affecting the Oracle Identity Manager that has received a rare 10 out of 10 score on the CVSSv3 bug severity scale.
The giant software maker has remained tight-lipped about the issue and has not released any type of meaningful explanation in an attempt to delay the start of attacks trying to exploit this flaw as long as possible, giving customers more time to patch.
No-password default account found in OIM middleware
The affected product is Oracle Identity Manager (OIM), a user management solution that allows enterprises to control what parts of their network employees can access. OIM is part of Oracle's highly popular Fusion Middleware offering and is one of its most used components.
Oracle describes the issue — tracked under the CVE-2017-10151 identifier — as a "default account" vulnerability, an umbrella term that's usually used to describe accounts with no password or hardcoded credentials (a.k.a. backdoor accounts).
"This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials," Oracle said in a security alert.
While other companies were also caught including default accounts, usually included for debugging purposes, most are only accessible locally and at least have a password. Having a no-password default account accessible via the Internet is a terrible idea or a huge oversight.
Oracle has released patches
Oracle released patches last Friday. Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0, and 12.2.1.3.0 are confirmed affected but Oracle says previous versions may also be vulnerable.
On October 16, Oracle released the October 2017 Critical Patch Update (CPU) trimestrial update train. The company fixed 252 bugs. CVE-2017-10151 was not one of them. Users employing Oracle middleware are advised to read the company's most recent security alert for OIM patching instructions, and install the October 2017 CPU while they're at it.
Comments
Occasional - 6 years ago
While the immediate reaction would be something like: "How could they be so stupid as to leave a giant security flaw in a security software product?" Time will provide details; and details will show if it was just that simple - but I doubt if it.
My guess this incident (and many like it), will turn out to be an unavoidable consequence of the dependence on well established algorithms, principles, practices and legacy code - all established with an eye to efficient functionality, not with an eye toward exploitation. They were also established without anticipating just how many eyes would be looking for vulnerabilities. It's unreasonable to assume that the good guys will always find and fix these before the bad guys.