'JOLTandBLEED' flaw leaves PeopleSoft ERP wide open

By

Oracle releases out-of-band patches.

Oracle ERP admins are being urged to apply patches for five serious vulnerabilities that can be used by attackers to steal information and remotely take over the systems without authentication.

'JOLTandBLEED' flaw leaves PeopleSoft ERP wide open

Security vendor ERPscan published details of the vulnerabilities, which affect the Jolt server for Oracle's Tuxedo transaction processing application.

ERPscan said one vulnerability, that it dubbed JOLTandBLEED, allows attackers to remotely siphon off sensitive information such as login credentials on affected servers.

The flaw is a system memory leak, similar to the Heartbleed vulnerability in the OpenSSL cryptographic library, and can be exploited by sending specially crafted data packages to servers over the clear-text HTTP web protocol.

JOLTandBLEED has been given a severity score of 10 out of 10 by Oracle, which has issued urgent patches for that and four other vulnerabilities.

Another flaw, CVE-2017-10269, is rated 9.9 out of 10 for severity.

This bug is in the Jolt Protocol, and a successful exploit enables attackers to compromise entire PeopleSoft systems.

Oracle's PeopleSoft Campus, Human Capital Management, Financial Management and Supply Chain Management applications are vulnerable.

Attackers could abuse the flaw to capture records stored on the systems and alter them, ERPscan said.

A further three remotely exploitable vulnerabilities, rated 5.3, 7.0 and 7.5, have also been fixed by Oracle.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Log In

  |  Forgot your password?