Oracle pushed out an emergency update for a bug in Oracle Identity Manager that is as bad as it gets.
Scoring a 10 on the CVSS scale, the vulnerability, CVE-2017-10151, enables an attacker to remotely take over the software without the need for authentication.
“While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products,” according to an advisorypublished on NIST’s National Vulnerability Database.
Oracle Identity Manager oversees user access privileges to enterprise resources, workflow and task management. It is one of dozens of components in the Oracle Fusion Middleware suite of web-based services. Versions 188.8.131.52, 184.108.40.206, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0 are affected, Oracle said.
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” Oracle said in its advisory.
Oracle said the vulnerability is “easily exploitable,” and should be addressed immediately.