Oracle rushes out patch to close critical PeopleSoft applications vulnerability affecting more than 6,000 major organisations
Oracle Tuxedo vulnerabilities achieve a perfect '10' in security alert - users urged to patch now
Software giant Oracle has rushed an out-of-band patch out to fix a series of vulnerabilities in its legacy PeopleSoft enterprise resource planning (ERP) software, which were found by specialist security firm ERPScan.
The vulnerabilities will affect more than 6,000 organisations, according to ERPScan, including at least 1,000 where they are exploitable over the internet.
"Technically, it is a memory leakage vulnerability similar to HeartBleed but in Jolt Protocol, a proprietary Oracle's protocol," claimed ERPScan. "By sending a series of packets to an HTTP port handled by the Jolt service, it is possible to retrieve memory-containing session information, user names and even passwords," it warned.
It continued: "The vulnerability allows full access to the business application [subjecting it to] risks such as espionage sabotage or fraud. Cyber criminals may exploit the system in different ways depending on their needs.
"As for espionage, the theft of critical information (for example, social security numbers, credit card numbers, salary data and other employee details) can be achieved. The threats are increasingly important as they [also] affect various compliance requirements, such as GDPR."
The rushed-out patches follow the publication of a security alert by Oracle, after ERPScan researchers brought the vulnerabilities to their attention.
"This security alert addresses CVE-2017-10269 and four other vulnerabilities affecting the Jolt server within Oracle Tuxedo. These vulnerabilities have a maximum CVSS score of 10.0 and may be exploited over a network without the need for a valid username and password," the company warned in a freshly issued alert.
Since Oracle Tuxedo is an integral part of Oracle PeopleSoft, users of the ERP software have been urged to apply the patches as a matter of priority.
ERPScan warned that the vulnerabilities could gain an attacker full access "to all data" stored in:
- Oracle PeopleSoft Campus Solutions;
- Oracle PeopleSoft Human Capital Management;
- Oracle PeopleSoft Financial Management;
- Oracle PeopleSoft Supply Chain Management.
The organisation described the flaws as follows:
- CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server;
- CVE-2017-10267 is a vulneralility of stack overflows;
- CVE-2017-10278 is a vulneralility of heap overflows;
- CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to brute-force passwords of DomainPWD which is used for the Jolt Protocol authentication;
- CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.
In a blog posting, ERPScan suggested that the vulnerabilities were caused by a programming error in terms of "how [the] Jolt Handler (JSH) processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process.
"During this message engineering, a programmer, that wrote the code, made a mistake in a function call responsible for packing data to transmit. The confusion was between two functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000.
"Then [when] a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage.
"Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server. It leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system."
The new alert comes just over two weeks after Oracle warned about another 10-out-of-10 vulnerability, that time in its Oracle Identity Manager.