Oracle has released patches for a security issue affecting the Oracle Identity Manager that has received a rare 10 out of 10 score on the CVSSv3 bug severity scale.
The giant software maker has remained tight-lipped about the issue and has not released any type of meaningful explanation in an attempt to delay the start of attacks trying to exploit this flaw as long as possible, giving customers more time to patch.
The affected product is Oracle Identity Manager (OIM), a user management solution that allows enterprises to control what parts of their network employees can access. OIM is part of Oracle's highly popular Fusion Middleware offering and is one of its most used components.
Oracle describes the issue — tracked under the CVE-2017-10151 identifier — as a "default account" vulnerability, an umbrella term that's usually used to describe accounts with no password or hardcoded credentials (a.k.a. backdoor accounts).
"This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials," Oracle said in a security alert.
While other companies were also caught including default accounts, usually included for debugging purposes, most are only accessible locally and at least have a password. Having a no-password default account accessible via the Internet is a terrible idea or a huge oversight.
Oracle released patches last Friday. Oracle Identity Manager versions 220.127.116.11, 18.104.22.168, 22.214.171.124.0, 126.96.36.199.0, 188.8.131.52.0, and 184.108.40.206.0 are confirmed affected but Oracle says previous versions may also be vulnerable.
On October 16, Oracle released the October 2017 Critical Patch Update (CPU) trimestrial update train. The company fixed 252 bugs. CVE-2017-10151 was not one of them. Users employing Oracle middleware are advised to read the company's most recent security alert for OIM patching instructions, and install the October 2017 CPU while they're at it.