back to article 10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Oracle is urging users of its enterprise identity management system to apply an emergency update to stomp a bug that allows attackers take over the system. The bug has been given a CVSS score of 10.0 – or critical – and could allow a remote, unauthorised hacker access to systems. Oracle said the vuln "can result in complete …

  1. Anonymous Coward
    Anonymous Coward

    *********** Oracle

    Unbreakable... Unhackable... Incompetent Oracle

  2. Roo
    Windows

    Oracle appear to have eliminated validation from their development process. They've mugged their customers with rank amateur wankware, they really should be litigated out of business.

  3. Anonymous Coward
    Anonymous Coward

    Just to repeat this point

    "The company listed supported versions affected as: 11.1.1.7; 11.1.1.9; 11.1.2.1.0; 11.1.2.2.0; 11.1.2.3.0; and 12.2.1.3.0.

    Product releases that aren't under premier or extended support aren't tested for the vuln, but Oracle added that it was "likely that earlier versions of affected releases are also affected"."

    i.e. ignore the version numbers, if you run this software it probably has this defect.

    Dear Oracle - while you may feel all happy with just releasing details for "supported" products, the first step to recovery is admitting you have a problem.

  4. Aodhhan Bronze badge

    I don't think anyone is shocked by this

    Nearly all security professionals knows any Oracle product is a problem waiting to happen. Even more disturbing is how long it takes for them to fix something... if they do.

    Thankfully, we've stopped allowing any new Oracle products onto our network. Those we still have must find a new non-Oracle solution prior to their refresh date.

    1. Roo
      Windows

      Re: I don't think anyone is shocked by this

      "Thankfully, we've stopped allowing any new Oracle products onto our network. Those we still have must find a new non-Oracle solution prior to their refresh date."

      Lucky you... Did that extend to Java by association too ? :)

  5. Jonbays

    Java sets the tone for the security of all their software so no one should be surprised. Just get a good patch and vulnerability management software and use it religiously if you have to use Oracle sw in your organisation

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019