{"id":11510,"date":"2026-03-21T10:03:47","date_gmt":"2026-03-21T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/21\/oracle-issues-urgent-security-update-for-critical-rce-flaw-in-identity-manager-and-web-services-manager\/"},"modified":"2026-03-21T10:03:47","modified_gmt":"2026-03-21T10:03:47","slug":"oracle-issues-urgent-security-update-for-critical-rce-flaw-in-identity-manager-and-web-services-manager","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/21\/oracle-issues-urgent-security-update-for-critical-rce-flaw-in-identity-manager-and-web-services-manager\/","title":{"rendered":"Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager"},"content":{"rendered":"<p>    Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Oracle has issued an out-of-band Security Alert addressing a critical remote code execution (RCE) vulnerability, CVE-2026-21992, affecting two widely deployed Fusion Middleware components, Oracle Identity Manager and Oracle Web Services Manager.<\/p>\n<p>The vulnerability carries a CVSS 3.1 base score of 9.8, placing it among the most severe classifications in Oracle\u2019s risk framework.<\/p>\n<p>CVE-2026-21992 is an unauthenticated, remotely exploitable flaw that requires no user interaction or special privileges to exploit. The attack vector is network-based with low complexity, meaning a threat actor only needs HTTP access to an exposed endpoint to potentially trigger remote code execution.<\/p>\n<p>Both the Confidentiality, Integrity, and Availability impact categories are rated High, indicating that a successful exploit could grant an attacker full control over the affected system.<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/oracles-identity-manager-rce-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">In Oracle Identity Manager<\/a>, the vulnerability resides in the REST Web Services component, while in Oracle Web Services Manager, the flaw exists within the Web Services Security module.<\/p>\n<p>Oracle notes that Web Services Manager is typically installed alongside Oracle Fusion Middleware Infrastructure, expanding the potential attack surface across enterprise deployments.<\/p>\n<h2 class=\"wp-block-heading\" id=\"affected-versions\">Affected Versions<\/h2>\n<p>The vulnerability impacts the following product versions:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Product<\/th>\n<th>Affected Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Oracle Identity Manager<\/td>\n<td>12.2.1.4.0, 14.1.2.1.0<\/td>\n<\/tr>\n<tr>\n<td>Oracle Web Services Manager<\/td>\n<td>12.2.1.4.0, 14.1.2.1.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Both affected versions fall under the Fusion Middleware patch track, with patch documentation available via Oracle\u2019s Security Alert advisory page and My Oracle Support (Document ID KB878741).<\/p>\n<p>A CVSS score of 9.8 with no authentication requirement makes this vulnerability particularly dangerous for organizations with internet-facing Oracle Fusion Middleware deployments.<\/p>\n<p>Oracle Identity Manager is a widely used identity governance platform, and Oracle Web Services Manager handles security policy enforcement for web services both are critical infrastructure components in large enterprise and government environments. Exploitation of either could result in full system compromise, credential theft, or lateral movement across connected systems.<\/p>\n<p><a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2026-21992.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Oracle strongly urges all customers<\/a> to apply the available patches immediately. The alert, initially released on March 19, 2026, received an updated revision on March 20, 2026, with an additional note from Oracle.<\/p>\n<p>Organizations running unsupported versions of the affected products are advised to upgrade to a supported release, as patches are only provided for versions under Premier Support or Extended Support phases per Oracle\u2019s Lifetime Support Policy.<\/p>\n<p>Security teams should prioritize patching any externally accessible instances and review HTTP\/HTTPS exposure of REST Web Services and Web Services Security endpoints until remediation is complete. Customers can reference the full risk matrix and verbose CVE details on Oracle\u2019s official Security Alerts portal.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/oracle-urgent-security-update\/\">Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/oracle-urgent-security-update\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager Oracle has issued an out-of-band Security Alert addressing a critical remote code execution (RCE) vulnerability, CVE-2026-21992, affecting two widely deployed Fusion Middleware components, Oracle Identity Manager and Oracle Web Services Manager. The vulnerability carries a CVSS 3.1 base score [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-11510","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11510"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11510"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11510\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}