Oracle pushes emergency patch for critical Tuxedo server vulnerabilities

Two of the vulnerabilities have achieved a rating of 10 and 9.9 in severity.

screen-shot-2017-11-16-at-14-43-49.jpg
CBS Interactive

Oracle has released an emergency patch outside of scheduled security updates to resolve serious server vulnerabilities, some of which have achieved top severity ratings.

On Thursday, ERPScan revealed the details of the vulnerabilities, which affect the Oracle application server Tuxedo. The company said that five bugs were found in total, and two of them received incredibly high CVSS ratings of 10.0 and 9.9.

Oracle Tuxedo is application server software used by enterprise players in the private cloud or for traditional data centers in order to develop, deploy, and manage applications.

The vulnerabilities were presented at the DeepSec conference in Vienna, in which ERPScan researchers said that Tuxedo is core to many business setups and at least 6000 enterprises are thought to be affected.

The most severe security flaw, CVE-2017-10272 -- rated CVSS 10.00 -- is a memory leak issue similar to HeartBleed which was found in Jolt, a proprietary Oracle protocol.

By sending crafted packets to the HTTP port handled by Jolt, an attacker is able to grab session information, usernames, and passwords, and therefore gain access to the system.

"Manipulating the communication with the client, an attacker can achieve a stable work of a server-side and sensitive data leakage," the researchers say. "Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server. It leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system."

As Jolt is used by Oracle ERP systems, attackers can gain access to Oracle PeopleSoft Campus Solutions, PeopleSoft Human Capital Management, PeopleSoft Financial Management, PeopleSoft Supply Chain Management, and more.

CVE-2017-10269, the second most severe vulnerability disclosed, is a bug which permits a full compromise of the PeopleSoft system.

ERPScan researchers also disclosed CVE-2017-10267, a stack overflow bug, CVE-2017-10278, a heap overflow issue, and CVE-2017-10266, a security flaw which permits attackers to brute-force passwords of DomainPWD, which is used by the Jolt protocol.

Oracle Tuxedo versions 11.1.1, 12.1.1, 12.1.3, and 12.2.2 are affected by the vulnerabilities.

Oracle has released an emergency patch to fix these issues and IT administrators are asked to apply the update immediately.

"Due to the severity of these vulnerabilities, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," the company said in a security advisory.

Earlier this month, Oracle released an emergency fix for Oracle Identity Manager which allowed attackers to completely hijack the software through an unauthenticated network attack.

In Oracle's October Critical Patch Update (CPU), the company resolved 252 vulnerabilities impacting software including Oracle Fusion Middleware, Oracle Hospitality, Oracle MySQL, and PeopleSoft. The worst of the bugs, of which one attained a CVSS score of 9.6, resulted in everything from remote code execution to denial-of-service.

Previous and related coverage

    Oracle and cloud: Success demands a customer-centric culture

    Three top enterprise software industry analysts explain Oracle's plans and strategy. Learn what it means for Oracle customers and to your company.

    Oracle pushes out emergency fix for remote system hijack vulnerability

    The vulnerability, as bad as it gets, allows attackers to remotely take over enterprise software without authentication.

    Oracle swats 252 bugs in patch update

    Hundreds of different products are affected by a range of vulnerabilities tackled in the update.

      Newsletters

      You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
      See All
      See All