ERPScan Researchers Help Oracle To Fix Critical Architecture Vulnerabilities In Oracle’s PeopleSoft And WebLogic Applications

Palo Alto – November 26, 2014 To start with, let us remind you that one month ago new Oracle’s patches were published to fix multiple vulnerabilities in their products. There were 154 fixes for various business applications. Most important for our discussion, among them there were fixes for vulnerabilities in PeopleSoft and WebLogic Application Server found by ERPScan research team.

At ERPScan, one of our core philosophies is to make the job of our customers as easy as possible, thus we provide additional time for them to fix vulnerabilities after the patch has been released. So, we decided to share information about the vulnerabilities, even though it has been one month since the patch release.

Let us get right to the topic and we’ll first have a word on the vulnerability found in Oracle PeopleSoft. The thing is, by means of this vulnerability remotely authenticated attacker can escalate his privileges, as far as required passwords are stored insecurely in XOR format.

As regards the vulnerability in Oracle WebLogic Application Server, when used with Oracle PeopleSoft, it makes remote authorization checks bypassing possible. WebLogic users get various permissions depending on the role model, which in turn is set through the administrative web panel. For in many cases there is only client-side protection while the server is not anyhow protected, any authenticated user without administrative or any other critical rights can perform critical operations on the server. As an example, one can access and read any file or deploy web shell on the server.

For further references on Oracle PeopleSoft vulnerabilities, see the following link

The results of our research work are then transferred to the products we supply our customers with. We will keep on carrying out critical issues’ investigations of various business applications from such vendors as SAP and Oracle, so as to ensure that our products have best security practices implemented and stay up-to date with the latest vulnerabilities. Taking into account that PeopleSoft HRMS system is exposed to the Internet more often than not, we recommend all our customers to apply the patches immediately,

said Alexey Tuyrin, head of ERPScan Research Team.

Details on the patched vulnerabilities can be found here:
Advisory №1
Advisory №2

Since 2010 ERPScan research team have received recognitions from Oracle for at least 10 times and consecuently helped to disclose more than 30 vulnerabilities in Oracle Database and Oracle’s Business applications.

About Oracle WebLogic Server
Oracle WebLogic Server is one of the most widespread commercial java-servers; it stands in the line with the Oracle’s leading products.

About Oracle PeopleSoft
Oracle PeopleSoft was PeopleSoft company’s ERP system. Although, it was swallowed up by Oracle in 2005, it is still growing. Among the topmost popular PeopleSoft products are HRMS-, CRM-, FMS-, SCM-solutions, all widely spread, especially in the US.