Oracle Patches Critical Vulnerabilities in PeopleSoft Applications

Oracle has released out-of-band security patches for a component used by multiple ERP applications from its PeopleSoft suite. The updates fix five vulnerabilities, including two critical ones that can be exploited to access data from or completely compromise those systems.

The vulnerabilities are located in the Jolt protocol implementation within Oracle Tuxedo, an application server that facilitates communication between enterprise apps written in different programming languages that run in the same container. Tuxedo is part of Oracle’s Fusion Middleware and is bundled in PeopleSoft applications including Campus Solutions, Human Capital Management, Financial Management and Supply Chain Management.

The vulnerabilities were discovered by researchers from security firm ERPScan and four of them can be exploited remotely without authentication. Two of the flaws have severity scores of 9.9 and 10.0, respectively, based on the Common Vulnerability Scoring System (CVSS).

One of the critical vulnerabilities, CVE-2017-10272, enables attackers to extract data from the memory of a server and was dubbed JOLTandBLEED by the ERPScan researchers because its impact is similar to that of the Heartbleed flaw found in TLS in 2014.

“Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage,” the ERPScan researchers said in a blog post. “Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server. It leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system.”

One vulnerability tracked as CVE-2017-10269 enables attackers to compromise the whole PeopleSoft system and another one, CVE-2017-10266, makes it possible for attackers to bruteforce passwords for DomainPWD, which is used for Jolt protocol authentication. The remaining two flaws, CVE-2017-10267 and CVE-2017-10278, stem from stack and heap overflows.

“Note that the Oracle Jolt client is not affected by these vulnerabilities,” Eric Maurice, Oracle’s director of security assurance, said in a blog post. “However, Oracle PeopleSoft products include and make use of Oracle Tuxedo and as a result, PeopleSoft customers should apply the patches provided by this Security Alert. Oracle strongly recommends affected Oracle Customers apply this Security Alert as soon as possible.”

Vulnerabilities Fixed in 3 Popular WordPress Plug-ins

A number of cross-site scripting and other flaws were fixed this week in three WordPress plug-ins installed on millions of websites: Formidable Forms, Duplicator and Yoast SEO.

The most severe flaws were patched in Formidable Forms, a plug-in used to build contact forms, polls and surveys and present on more than 200,000 websites. The vulnerabilities can result in arbitrary shortcode execution, SQL injection, unauthenticated view of form responses and cross-site scripting. The bugs were fixed in versions 2.05.02 and 2.05.03 of the plug-in, but users are advised to upgrade to the latest version—2.05.05 at this time.

Duplicator, a WordPress migration and backup plug-in used by more than 1 million websites, had a stored cross-site scripting vulnerability that affected versions 1.2.28 and older. Users are advised to upgrade to version 1.2.30.

An unauthenticated XSS flaw was also fixed this week in the highly popular Yoast SEO plug-in, which has more than 6 million active installations. The vulnerability affects versions 5.7.1 and older.

WordPress powers more than a quarter of websites on the internet, including many enterprise sites and blogs. This makes it an attractive target for hackers. According to web security firms, the most popular method of breaking into a WordPress site is through vulnerabilities in third-party plug-ins.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin