Oracle has issued an Oracle has issued an emergency security update for five vulnerabilities found on it various products that rely on the proprietary Jolt protocol.
The vulnerabilities were discovered by researchers at ERPScan, a cybersecurity firm who named them as JoltandBleed.
The attackers can exploit these vulnerabilities without the need of valid user credentials and can gain full access to all data stored in the ERP systems of Oracle products.”
The products affected are Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, Supply Chain Management and products using tuxedo two application server.
Below are the details of vulnerabilities discovered :
- CVE-2017-10272 (9.9 on CVSS scale) is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
- CVE-2017-10267 (7.5 on CVSS scale) is a vulnerability of stack overflows.
- CVE-2017-10278 (7.0 on CVSS scale) is a vulnerability of heap overflows.
- CVE-2017-10266 (5.3 on CVSS scale) is a vulnerability that makes it possible for a malicious actor to brute force passwords of DomainPWD which is used for the Jolt Protocol authentication.
- CVE-2017-10269 (10 on CVSS scale) is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.
According to ERPScan “This error is originated with that how Jolt Handler (JSH) processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process”.
The CVE-2017-10272 vulnerability is a memory leakage vulnerability which can be easily exploited by an attacker with network access via jolt and compromise Oracle Tuxedo.
Oracle has advised users to apply the updates released by Oracle immediately.
Below is the video released ERPScan :