Oracle rushes out 5 patches for huge vulnerabilities in PeopleSoft app server

Enlarge (credit: Liftarn (Public Domain))

Oracle issued a set of urgent security fixes on Tuesday that repair vulnerabilities revealed today by researchers from the managed security provider ERPScan at the DeepSec security conference in Vienna, Austria. The five vulnerabilities include one dubbed “JoltandBleed” by the researchers because of its similarity to the HeartBleed vulnerability discovered in OpenSSL in 2014. JoltandBleed is a serious vulnerability that could expose entire business applications running on PeopleSoft platforms accessible from the public Internet.

The products affected include Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well as any other product using the Tuxedo 2 application server. According to recent research by ERPScan, more than 1,000 enterprises have their PeopleSoft systems exposed to the Internet, including a number of universities that use PeopleSoft Campus Solutions to manage student data.

JoltandBleed is a memory leakage vulnerability in Oracle’s proprietary Jolt protocol, used by the Tuxedo 2 application server. Crafted network packets sent to the HTTP port controlled by the Jolt service could potentially extract data from memory on the app server, including session information, user names, and passwords in plain text, as demonstrated in a video at the conference: