This Security Alert addresses CVE-2017-10151, a vulnerability affecting Oracle Identity Manager. This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. The Patch Availability Document referenced below provides a full workaround for this vulnerability, and will be updated when patches in addition to the workaround are available.
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay.
Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Patches released through the Security Alert program are available to customers who have Extended Support under the Lifetime Support Policy.Customers must have a valid Extended Support service contract to download patches released through the Security Alert program for products in the Extended Support Phase.
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Update or Security Alert Advisories.
In this Security Alert Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:
Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
|Affected Products and Versions||Patch Availability|
|Oracle Identity Manager, versions 126.96.36.199, 188.8.131.52, 184.108.40.206||Fusion Middleware|
|2017-November-04||Rev 3. Updated Credit Statement.|
|2017-November-01||Rev 2. Updated Supported Versions Affected.|
|2017-October-27||Rev 1. Initial Release.|
This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
|CVE#||Product||Component||Protocol||Remote Exploit without Auth.?||CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Attack Vector||Attack Complex||Privs Req'd||User Interact||Scope||Confidentiality||Integrity||Availability|
|CVE-2017-10151||Oracle Identity Manager||Default Account||HTTP||Yes||10.0||Network||Low||None||None||Changed||High||High||High||220.127.116.11, 18.104.22.168, 22.214.171.124|