Oracle Security Alert Advisory - CVE-2017-10151


This Security Alert addresses CVE-2017-10151, a vulnerability affecting Oracle Identity Manager. This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. The Patch Availability Document referenced below provides a full workaround for this vulnerability, and will be updated when patches in addition to the workaround are available.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay.

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Security Alert program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Security Alert program for products in the Extended Support Phase.

Credit Statement

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Update or Security Alert Advisories.

In this Security Alert Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Chris Fischetti


Affected Products and Components

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
Oracle Identity Manager, versions,, Fusion Middleware

Modification History

Date Note
2017-November-04 Rev 3. Updated Credit Statement.
2017-November-01 Rev 2. Updated Supported Versions Affected.
2017-October-27 Rev 1. Initial Release.




Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Security Alert contains 1 new security fix for Oracle Fusion Middleware.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE# Product Component Protocol Remote
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Scope Confid-
CVE-2017-10151 Oracle Identity Manager Default Account HTTP Yes 10.0 Network Low None None Changed High High High,,