Oracle urgently closed memory leaking vulnerability affecting all PeopleSoft applications

Vienna, Austria – November 16, 2017, on Tuesday Oracle released an out-of-plan critical update (Security Alert Advisory) for a second time; the details of these vulnerabilities and the examples of business risks have been presented by ERPScan researchers at DeepSec conference in Vienna today.

A set of 5 issues were found in Oracle application server called Tuxedo, 2 of them (CVE-2017-10272 and CVE-2017-10269) have the highest CVSS rating of 10.0 and 9.9. Tuxedo is a core tool for multiple Oracle business products including Oracle PeopleSoft, thus it affects over 6000 enterprises (57% of the Fortune 100 list) as well as Government and Education companies that use various Peoplesoft Systems such as Campus Solutions, Human Capital Management, Financial Management or Supply Chain Management. Nearly 1000 of them are remotely exploitable through the Internet, according to the latest research.

One of the detected vulnerabilities rated 10 CVSS gives an unauthorized remote access to the system. Technically, it is a memory leakage vulnerability similar to HeartBleed but in Jolt Protocol, a proprietary Oracle’s protocol, so it may be dubbed JoltandBleed. By sending a series of packets to HTTP port handled by Jolt service, it is possible to retrieve memory-containing session information, usernames and even passwords as it was demonstrated in the video.

The vulnerability allows full access to the business application which will be subject to risks such as espionage sabotage or fraud. Cybercriminals may exploit the system in different ways depending on their needs. As for espionage, theft of critical information (e.g. SSN’s credit card numbers, salary data and other employee details) can be achieved. The threats are increasingly important as they affect various compliance requirements such as GDPR.

More advanced attack vector that was demonstrated at DeepSec conference affects Peoplesoft Campus Solutions which is one of the most popular applications in Education. Students may use this vulnerability to gain financial aid or be awarded and delete payment orders for their education to save money.

Other technical details with a video are available in our blog post.