Oracle has broken its usual quarterly Critical Patch Update (CPU) cycle to release an emergency fix for a vulnerability that allows attackers to access enterprise software remotely without authentication.
The vulnerability, CVE-2017-10151, can result in a "complete compromise of Oracle Identity Manager via an unauthenticated network attack," according to the company.
The bug has been issued a CVSS score of 10, the highest in severity possible.
Attackers can remotely take over the software without prior authentication, and so no valid user account credentials are required. Connections to vulnerable software can be made over HTTP.
According to NIST, the vulnerability is "easily exploitable"
Oracle Identity Manager is a component found in Oracle Identity Management which manages and validates user identities and access to enterprise systems.
The bug impacts Oracle Identity Manager versions 220.127.116.11, 18.104.22.168, 22.214.171.124.0, 126.96.36.199.0, 188.8.131.52.0, and 184.108.40.206.0.
However, Oracle says that products which are not under Product Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by the advisory, and "it is likely that earlier versions of affected releases are also affected by these vulnerabilities."
"While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products," NIST says.
Oracle has implored IT admins to apply the patch "without delay" due to the severity of the issue.
Last month, Oracle patched a total of 252 vulnerabilities in the firm's latest quarterly patch update. Oracle Fusion Middleware, Oracle Hospitality, Oracle MySQL, and PeopleSoft received the most fixes -- and Java, naturally, was present too -- to resolve problems including remote code execution bugs, Persistent Cross Site Scripting (XSS) flaws, and SQL injection vulnerabilities.
The next Oracle patch update outside of emergency fixes is expected to land on January 16, 2018.