Oracle Corporation issued a series of emergency patches on Tuesday last week, fixing five vulnerabilities in its Tuxedo middleware platform, including a critical one that has been compared to Heartbleed.
Specifically, the bugs are all found within Tuxedo's Jolt server. Because Oracle's PeopleSoft HR management products use Tuxedo in their distributions, users of PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management are especially impacted because attackers can leverage the vulnerabilities to gain access to data stored in these systems.
The most serious of the five bugs is CVE-2017-10269 – a memory leakage vulnerability in the core component of the Jolt server protocol, which can be remotely exploited without authorisation. Dubbed JoltandBleed because it resembles Heartbleed – a 2014 security bug found in the OpenSSL cryptography library – the flaw has been assigned a CVSS base score of 10.0.
If exploited, the vulnerability allows malicious actors to compromise the entire PeopleSoft system, according to ERPScan, whose application security researcher Dmitrii Ludin discovered JoltandBleed and the four other vulnerabilities.
"By sending a series of packets to [the] HTTP port handled by Jolt service, it is possible to retrieve memory-containing session information, usernames, and even passwords," states ERPScan in a press release. At that point, attackers could access such critical information as Social Security numbers, credit card numbers, salary data, and other employee data.
Access to PeopleSoft Campus Solutions in particular could even allow malicious students "to gain financial aid or be awarded and delete payment orders for their education to save money," the release continues.
Also quite serious, with a CVSS score of 9.9, is CVE-2017-10272, a memory disclosure vulnerability that attackers can exploit to remotely read the server's memory. The remaining three issues consist of a stack overflow bug (CVE-2017-10267), heap overflow vulnerability (CVE-2017-10278), and CVE-2017-10266, which ERPScan describes in a blog post as a "vulnerability that makes it possible for a malicious actor to brute-force passwords of DomainPWD, which is used for the Jolt Protocol authentication."
Versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2 of Tuxedo are affected by the vulnerabilities.