Research Team

EAS-SEC. Oracle PeopleSoft security configuration. Part 9: Insecure trusted connections

Various solutions may be used to create intersystem business processes. The trusted relationships or Single Sign-on (SSO) between PeopleSoft systems allow minimizing the authentication requirements. If the calling PeopleSoft system (Node) accepts the called system as trusted, the password won’t be required.

Read more

PeopleSoft JOLTandBLEED Vulnerability

As a matter of urgency, Oracle has released 5 patches addressing severe vulnerabilities identified by the ERPScan team. The most critical of them have the highest CVSS base score of 9.9 and even 10.0 and may be exploited over a network without the need for a valid username and password. The issues affect the Jolt server within Oracle Tuxedo as the main component of numerous Oracle’s products. One of the products that use this component is Oracle PeopleSoft. By exploiting these vulnerabilities, an attacker can gain full access to all data stored in the following ERP systems:

Read more

EAS-SEC. Oracle PeopleSoft Security Configuration. Part 8: Access control and SoD conflicts

PeopleSoft has multiple functional opportunities, which are implemented through programs, transactions, and reports. An access to these objects should be strictly regulated by defining user profiles, roles and permission lists as the access to critical actions (e.g. access to modify data or to read any tables) enables users to attack PeopleSoft systems in order to steal critical data or escalate their privileges.

Read more

SAP HANA for Dummies

This article is the beginning of a series of articles “SAP HANA for Dummies” devoted to the review of the main features and security issues of SAP HANA. We will consider the key aspects of the system itself, its security and also we will pay attention to vulnerabilities of its several modules.

Read more