Oracle RCE Alert Critical Identity Manager Flaw Patched Urgently

Oracle has issued an out-of-band security update to address a critical vulnerability, identified as CVE-2026-21992, which carries a CVSS v3.1 score of 9.8. This severe flaw allows for remote code execution (RCE) without requiring any authentication, posing a significant threat to systems. The vulnerability is particularly concerning as it can be exploited remotely over HTTP with low complexity and without any user interaction. This means that any deployed systems accessible from the internet are at a considerably heightened risk of compromise.

The affected products are Oracle Identity Manager and Oracle Web Services Manager, specifically versions 12.2.1.4.0 a nd 14.1.2.1.0. These components are fundamental in managing user identities, authentication, access control, and service orchestration. A successful exploitation of this RCE flaw could lead to a cascade of negative consequences, ranging from complete control over the compromised server to the manipulation of critical processes like account management, credential handling, and the alteration of policies across numerous corporate applications.

The combination of remote, unauthenticated access over HTTP creates a highly sensitive attack window. If these services are exposed and not properly patched, attackers can easily automate exploitation attempts at scale. Oracle strongly advises applying the recommended updates or mitigations from their Security Alert with the utmost urgency, especially for systems directly exposed to the internet or located in high-traffic zones like DMZs or shared networks. It's important to note that Oracle provides fixes for versions under Premier Suppor t or Extended Support. Organisations running older, unsupported versions may not receive an official patch, leaving them vulnerable. Therefore, a rapid inventory of Oracle Identity Manager and Oracle Web Services Manager instances, verification of exact versions, and immediate planning for updates are crucial steps.

While Oracle has not confirmed any active exploitation at this time, given the severity of a critical RCE in identity management software, it should be treated as an operational emergency. The recommended course of action is to patch or apply mitigations immediately, reduce HTTP exposure wherever feasible, and enhance monitoring for any signs of compromise on affected systems while the fix is being deployed. Organisations should also verify their support status for these Oracle products to ensure they are eligible for the provided fixes.

Fuente Original: https://unaaldia.hispasec.com/2026/03/oracle-lanza-un-parche-urgente-por-una-rce-critica-sin-autenticacion-en-identity-manager.html?utm_source=rss&utm_medium=rss&utm_campaign=oracle-lanza-un-parche-urgente-por-una-rce-critica-sin-autenticacion-en-identity-manager

Artículo generado mediante LaRebelionBOT