Oracle has released patches for a security issue affecting the Oracle Identity Manager that has received a rare 10 out of 10 score on the CVSSv3 bug severity scale.
The giant software maker has remained tight-lipped about the issue and has not released any type of meaningful explanation in an attempt to delay the start of attacks trying to exploit this flaw as long as possible, giving customers more time to patch.
No-password default account found in OIM middleware
The affected product is Oracle Identity Manager (OIM), a user management solution that allows enterprises to control what parts of their network employees can access. OIM is part of Oracle's highly popular Fusion Middleware offering and is one of its most used components.
Oracle describes the issue — tracked under the CVE-2017-10151 identifier — as a "default account" vulnerability, an umbrella term that's usually used to describe accounts with no password or hardcoded credentials (a.k.a. backdoor accounts).
"This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials," Oracle said in a security alert.
While other companies were also caught including default accounts, usually included for debugging purposes, most are only accessible locally and at least have a password. Having a no-password default account accessible via the Internet is a terrible idea or a huge oversight.
