The flaw could allow an attacker to gain complete access to Oracle Identity Manager, without authentication. Oracle recommends customers apply the workaround “without delay.”

Aldrin Brown, Editor-in-Chief

November 1, 2017

2 Min Read
Oracle Identity Manager screenshot

Oracle is warning customers about a critical vulnerability that could allow an attacker to completely take over Oracle Identity Manager (OIM) without authentication.

The security alert, CVE-2017-10151, was deemed so critical that Oracle decided to issue an immediate workaround, instead of waiting for the next quarterly Critical Patch Update.

The nature of the threat is such that it scored the highest severity on the 10-point Common Vulnerability Scoring System, an open industry standard for assessing vulnerabilities.

“This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack,” the alert states. 

“The Patch Availability Document…provides a full workaround for this vulnerability, and will be updated when patches in addition to the workaround are available,” it goes on. “Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay.”

Oracle’s last Critical Patch Update was issued on Thursday, and the OIM security alert was announced the following day.

The next quarterly Critical Patch Update is scheduled for January 16, 2018.

OIM – a component of the Oracle Fusion Middleware group of business applications – is used to control network access, including adding and removing users and setting policies.

As a result, an unauthenticated attacker could gain access to all parts of a network.

The flaw affects Oracle Identity Manager versions,,,,,

The workaround is available for customers with current Premier Support or Extended Support subscriptions.

“We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running,” the security alert states. “Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert.”

“However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities,” the alert continues. “As a result, Oracle recommends that customers upgrade to supported versions.”


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like