'JOLTandBLEED' flaw leaves PeopleSoft ERP wide open

Oracle ERP admins are being urged to apply patches for five serious vulnerabilities that can be used by attackers to steal information and remotely take over the systems without authentication.

Security vendor ERPscan published details of the vulnerabilities, which affect the Jolt server for Oracle's Tuxedo transaction processing application.

ERPscan said one vulnerability, that it dubbed JOLTandBLEED, allows attackers to remotely siphon off sensitive information such as login credentials on affected servers.

The flaw is a system memory leak, similar to the Heartbleed vulnerability in the OpenSSL cryptographic library, and can be exploited by sending specially crafted data packages to servers over the clear-text HTTP web protocol.

JOLTandBLEED has been given a severity score of 10 out of 10 by Oracle, which has issued urgent patches for that and four other vulnerabilities.

Another flaw, CVE-2017-10269, is rated 9.9 out of 10 for severity.

This bug is in the Jolt Protocol, and a successful exploit enables attackers to compromise entire PeopleSoft systems.

Oracle's PeopleSoft Campus, Human Capital Management, Financial Management and Supply Chain Management applications are vulnerable.

Attackers could abuse the flaw to capture records stored on the systems and alter them, ERPscan said.

A further three remotely exploitable vulnerabilities, rated 5.3, 7.0 and 7.5, have also been fixed by Oracle.