[ERPSCAN-18-001] Information Disclosure in PeopleSoft Listening Connector

Application: Oracle PeopleSoft
Versions Affected: Oracle PeopleTools 8.54 – 8.56
Vendor: Oracle
Bugs: Information Disclosure
Reported: 15.06.2017
Vendor response: 16.06.2017
Date of Public Advisory: 17.01.2018
Reference: Oracle CPU January 2018
Authors: Dmitri Iudin aka @ret5et (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Impact: Sensitive data may be exposed to attackers
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-2605

CVSS Information

CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) Low (L)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity None (N)
A: Impact to AvailabilityHigh (H)

VULNERABILITY DESCRIPTION

A remote unauthenticated attacker can get a PIA user and FQDN PeopleSoft server name via trivial POST request.

VULNERABLE PACKAGES

Oracle PeopleTools: 8.54
Oracle PeopleTools: 8.55
Oracle PeopleTools: 8.56

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU January 2018

TECHNICAL DESCRIPTION

Proof of Concept