Oracle has released an out-of-schedule critical update to patch five issues found in the Jolt server within Oracle Tuxedo.
One of the products that uses this component is Oracle PeopleSoft. In its advisory, Oracle said the vulnerabilities had a maximum CVSS score of 10.0 and could be exploited over a network without the need for a valid username and password. It added that the Oracle Jolt client was not affected.
"Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches referenced below," the company said, with a list of patches provided.
"Due to the severity of these vulnerabilities, Oracle strongly recommends that customers apply the updates provided by this security alert as soon as possible."
{loadposition sam08}European security company ERPScan discovered the vulnerabilities and presented a paper about them at the DeepSec conference in Vienna on Thursday.
Since PeopleSoft can be attacked, more than 6000 enterprises, including 57% of the Fortune 100 list are under threat.
One of the vulnerabilities gives unauthorised remote access to the system. A memory leakage vulnerability similar to HeartBleed, it is present in the Jolt Protocol, a proprietary Oracle protocol.
ERPScan dubbed it JoltandBleed and said that by sending a series of packets to the HTTP port handled by Jolt service, one could retrieve memory-containing session information, usernames and even passwords.
The five vulnerabilities:
- CVE-2017-10272, a memory disclosure flaw; exploitation gives an attacker a chance to remotely read the memory of the server.
- CVE-2017-10267 can be used to trigger stack overflows.
- CVE-2017-10278 can be used to cause heap overflows.
- CVE-2017-10266 makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
- CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.