CVE-2017-10151 Oracle Identity Manager Vulnerability

Oracle has released an out-of-cycle security advisory (CVE-2017-10151) for a vulnerability affecting Oracle Identity Manager.  This vulnerability has a CVSS 3.0 base score of 10 out of 10.  Oracle Identity Manager is the identity governance component within the Oracle Identity Management solution.  All supported versions of Identity Manager are impacted from 11.1.1.7 to 12.2.1.3.0.  Most likely 11.1.1.1 through 11.1.1.6 are also vulnerable.  Previous Identity Manager versions (10g and 9.x) that are not based on Oracle WebLogic are probably not vulnerable.

The vulnerability is that the Oracle Identity Manager system user account (OIMINTERNAL) can be accessed using the default password through the Oracle WebLogic server.  As this is a highly privileged user, the entire Identity Manager environment can be completely compromised via an unauthenticated network attack.

The work-around is to change the OIMINTERNAL user password to a random string in the WebLogic administration console under Domain -> Security Realms.  A patch will be available in the future to automatically change the password.  See My Oracle Support Note "Oracle Security Alert CVE-2017-10151 Patch Availability Document for Oracle Identity Manager (Doc ID 2322316.1)" for more information.

As Oracle released an out-of-cycle security advisory, either detailed information regarding the vulnerability has been released or will soon be released, or Oracle has been informed the vulnerability is being actively exploited.

 Share this post