EAS-SEC. Oracle PeopleSoft Security Configuration. Part 2: Patch Management
In our previous article, we’ve already introduced you to the list of the 9 most important business application security issues for Oracle PeopleSoft. Now it’s high time to pay attention to the more detailed explanation of each area. The first topic to discuss is Oracle PeopleSoft Patch Management.
The necessary condition for ensuring a full-scale system security is to install security support packages regularly. On Tuesday closest to the 17th of January, April, July, and October, the vendor issues new security fixes of various severity levels. Since January 2005, Oracle has released Critical Patch Updates (CPU) with more than 4600 security fixes. As you can see from the graph below, the average number of security fixes is increasing every year (see figure 1).
Speaking of PeopleSoft in particular, the total number of security issues fixed each year is shown below. The number of issues closed each year doubled in 2010 (see figure 2).
PeopleSoft has a set of different products. If any of them lacks even a single patch, an attacker can exploit a corresponding issue and possibly intercept control over the whole system in the end. That is why it is necessary to develop and establish a patch management process to ensure the implementation of adequate preventive measures against potential threats. Below, two major checks are given that must be in place to address the most critical problems.
[EASAI-PS-01] PeopleSoft Enterprise PeopleTools updates
PeopleTools provides the underlying technology for PeopleSoft applications. All PeopleSoft applications (such as Human Capital Management and Financial Management) are built, deployed, and maintained using PeopleTools.
PeopleSoft Enterprise PeopleTools is updated via patches, which are designed to fix system errors by replacing objects with outdated and vulnerable versions. Every next following support patch is cumulative, i.e. it contains all previous updates.
Vulnerabilities are reported in PeopleSoft PeopleTools Critical Patch Update Advisory and an attacker can learn a vulnerable component. Also, a malicious person can download the patches and reverse them to know a fixed vulnerability. A late implementation of security patches allows an adversary to exploit corresponding vulnerabilities, to get an unauthorized access to sensitive information, to manipulate certain data, and compromise a vulnerable system.
Of note, PeopleTools Updates mostly fix highly critical vulnerabilities. Thus, the priority of PeopleTools updates should be higher than Applications ones.
The examples of the vulnerabilities in PeopleTools:
- In PeopleSoft PeopleTools 8.54 and earlier versions, password length is set to be between 6 and 8 characters for Access ID and Connect ID. Such restriction facilitates a brute force attack.
- In January 2017 Critical Patch Update for PeopleTools, there was a vulnerability (rated 9.8 by CVSS base score), which allowed an unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools (CVE-2016-6303).
Most recommended is to upgrade PeopleTools to the latest version.
Also, it is necessary to perform regular checks for PeopleTools patches implementation by using the following patch management process steps:
- Detecting security issues and uninstalled patches
- Assessing risks for identified vulnerabilities
- Implementing security patches
- Monitoring results
To obtain information on the current PeopleTools patches via PeopleSoft Portal on a page, press a shortcut key combination Ctrl+J (or Ctrl+Shift+J). The information on the latest PeopleTools patch is stored at the My Oracle Support portal.
A PeopleSoft patch is usually downloaded as a system and executable files directory that replaces a previous one. PeopleSoft Change Assistant (CA) utility also allows automating many of the steps in an upgrade or update process.
[EASAI-PS-02] PeopleSoft Enterprise Applications updates
Patches are designed to fix system errors by replacing the objects with outdated and vulnerable versions. Patches of PeopleSoft Enterprise Applications are classified as: Critical, General, Legislative, Security (Oracle Critical Patch Updates).
In PeopleSoft 9.2, use PeopleSoft Update Images (PIs), which are cumulative patches, i.e. all previous updates and separate patches that are not yet included in the PI. In PeopleSoft 9.1 patches are separate and require early to be installed first. The way to fix a security vulnerability is to apply a Patch for Bug ID, which is mentioned in Critical Patch Update Pre-installation Notes. Previous versions of PeopleSoft Applications are not supported by Oracle.
An attacker can learn a vulnerable component by using PeopleSoft Enterprise Applications Critical Patch Updates, download the patches and reverse them to find out which vulnerabilities has been already fixed. A malicious person can exploit a vulnerability to get an unauthorized access to sensitive information, if a security patch is skipped.
For example, in case of successful exploitation of a vulnerability in the PeopleSoft Enterprise HCM component (CVSS score 6.0, CVE-2015-4887) in Oracle PeopleSoft Products 9.2, remote authenticated users can affect confidentiality, integrity, and availability via ePerformance.
It is recommended to upgrade PeopleSoft Enterprise Applications to the latest version and perform patch management by monitoring and implementing Oracle Critical Patch Updates.
To find PeopleSoft Applications Critical Patch Updates, go to the Critical Patch Updates, Security Alerts and Third Party Bulletin page on Oracle portal. Locate the required security patch with a bug number in My Oracle Support (MOS) and download separate patch/patchset or PeopleSoft Update Image (for PeopleSoft 9.2).
Use PeopleSoft Update Manager (PUM) (for PeopleSoft 9.2) to search for updates and create custom change package definitions and Change Assistant (CA) to apply patches.
In PeopleSoft 9.1, use only Change Assistant to apply downloaded change packages from MOS.
In addition to Peopletools and Applications, the implementation of security patches should be checked for other components such as Web Application Server (Oracle WebLogic Server or IBM WebSphere Application Server), Oracle Tuxedo, operating systems where the PeopleSoft services are installed, as well as for Database that store the PeopleSoft data and library updates (e.g. JDK).
That’s all. We considered the 2 most critical areas of patch management in Oracle PeopleSoft. Stay tuned, as we will return with the next part of Oracle PeopleSoft Security Configuration guideline soon.