Oracle scrambles to sew up horrid security holes in PeopleSoft's Tuxedo
Nothing like unauth'd hijacking, Heartbleed-style bugs to patch ASAP
Oracle has published an out-of-band software update to address a handful of security flaws in parts of the PeopleSoft HR software.
The House of Larry said this week the five CVE-listed vulnerabilities all sit within the Jolt component of Tuxedo, an application server used by PeopleSoft to handle non-Java applications.
"Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches," Oracle explained.
The most serious of the flaws, CVE-2017-10269, allows an attacker with network access to the Jolt web application interface on a target server to effectively take over the underlying Tuxedo software and, in the process, compromise PeopleSoft-powered systems without the need for authentication.
"Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo," the NIST summary reads.
A second flaw, CVE-2017-10272, requires the attacker to first log into the victim's server in order to exploit it. The programming blunder is very similar to OpenSSL's HeartBleed, and has even been dubbed Joltandbleed, as it allows an attacker to siphon off memory from the server and then leverage that information to cause more mischief and damage.
A third flaw, CVE-2017-10266, can be exploited to brute-force DomainPWD passwords to gain read-only access to data. A fourth bug, CVE-2017-10267, is a stack-overflow blunder that can be easily exploited to bypass authentication.
The final vulnerability, CVE-2017-10278, is a heap-overflow hole that is difficult to exploit, we're told, but can also be used to bypass authentication.
Oracle is advising all companies running Tuxedo versions 11.1.1, 12.1.1, 12.1.3, and 12.2.2 on PeopleSoft to update their installations as soon as possible.
The database giant's updates come as many admins already find themselves bogged down installing the monthly security updates from Microsoft as well as a massive November patch from Adobe. ®