*********** Oracle
Unbreakable... Unhackable... Incompetent Oracle
Oracle is urging users of its enterprise identity management system to apply an emergency update to stomp a bug that allows attackers take over the system. The bug has been given a CVSS score of 10.0 – or critical – and could allow a remote, unauthorised hacker access to systems. Oracle said the vuln "can result in complete …
"The company listed supported versions affected as: 11.1.1.7; 11.1.1.9; 11.1.2.1.0; 11.1.2.2.0; 11.1.2.3.0; and 12.2.1.3.0.
Product releases that aren't under premier or extended support aren't tested for the vuln, but Oracle added that it was "likely that earlier versions of affected releases are also affected"."
i.e. ignore the version numbers, if you run this software it probably has this defect.
Dear Oracle - while you may feel all happy with just releasing details for "supported" products, the first step to recovery is admitting you have a problem.
Nearly all security professionals knows any Oracle product is a problem waiting to happen. Even more disturbing is how long it takes for them to fix something... if they do.
Thankfully, we've stopped allowing any new Oracle products onto our network. Those we still have must find a new non-Oracle solution prior to their refresh date.