The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Oracle Issues Emergency Patch for Remote Takeover Vulnerability



Oracle released an out-of-band patch late last week to address a critical remote takeover vulnerability.

Oracle was forced to issue an emergency update late last week to address a nasty vulnerability that garnered a 10 out of 10 score on the CVSS v3 rating system.

If left unpatched the issue could lead to the compromise of the company’s enterprise identity management system, Identity Manager, Oracle warned last Friday. The software also figures into Oracle’s Fusion Middleware. Identity Manager helps users manage and validate user identities across organization resources; it also supplies users with access to enterprise systems.

A note on the vulnerability (CVE-2017-10151) posted by the National Institute of Standards and Technology to its site on Monday warned an unauthenticated attacker with network access via HTTP could compromise OIM and lead to a takeover. Oracle says the vulnerability is easily exploitable and tied to the fact OIM has a default account.

The company's warning says the bug affects versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0 of Identity Manager. The company released a fix for the vulnerability late Friday but news around the bug didn’t really trickle out until Monday, after NIST posted about the CVE to its National Vulnerability Database. 

In its advisory Oracle urged users to apply the updates "without delay."

The fix comes less than two weeks after the company issued its regularly scheduled Critical Patch Update, expected to be its last band of patches until 2018, on October 17. That update resolved 250 vulnerabilities, including three rated 10.0, two in Oracle's Hospitality Reporting and Analytics application and another in its Siebel CRM. The CVSS 3.0, or Common Vulnerability Scoring System, is the industry standard when it comes to assessing the severity of security vulnerabilities; 10.0, or critical severity bugs are the worst of the worst.

Chris Brook

ANALYST REPORTS

Gartner 2017 Critical Capabilities for Enterprise Data Loss Prevention

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.