PT-2017-3022 · Oracle · Oracle Identity Manager

Published

2017-10-27

Updated

2019-10-03

CVE-2017-10151

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Oracle Identity Manager versions 11.1.1.7, 11.1.2.3, 12.2.1.3

Description The issue is related to the use of default system accounts in Oracle Identity Manager, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks can result in the takeover of Oracle Identity Manager and may significantly impact additional products.

Recommendations For versions 11.1.1.7, 11.1.2.3, and 12.2.1.3, consider disabling the use of default system accounts as a temporary workaround until a patch is available. Restrict access to the Oracle Identity Manager component to minimize the risk of exploitation. Avoid using the default system accounts in the affected Oracle Identity Manager component until the issue is resolved.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

BDU:2017-02380

CVE-2017-10151

Affected Products

Oracle Identity Manager

PT-2017-3022 · Oracle · Oracle Identity Manager

CVE-2017-10151

Weakness Enumeration

Related Identifiers

Affected Products

References · 8