Network Security, Patch/Configuration Management, Vulnerability Management

Oracle issues emergency patch for JoltandBleed bug in Tuxedo middleware

Oracle Corporation issued a series of emergency patches on Tuesday, fixing five vulnerabilities in its Tuxedo middleware platform, including a critical one that has been compared to Heartbleed.

Specifically, the bugs are all found within Tuxedo's Jolt server. Because Oracle's PeopleSoft HR management products use Tuxedo in their distributions, users of PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management are especially impacted because attackers can leverage the vulnerabilities to gain access to data stored in these systems.

The most serious of the five bugs is CVE-2017-10269 – a memory leakage vulnerability in the core component of the Jolt server protocol, which can be remotely exploited without authorization. Dubbed JoltandBleed because it resembles Heartbleed – a 2014 security bug found in the OpenSSL cryptography library –  the flaw has been assigned a CVSS base score of 10.0.

If exploited, the vulnerability allows malicious actors to compromise the entire PeopleSoft system, according to ERPScan, whose application security researcher Dmitrii Ludin discovered JoltandBleed and the four other vulnerabilities.

"By sending a series of packets to [the] HTTP port handled by Jolt service, it is possible to retrieve memory-containing session information, usernames, and even passwords," states ERPScan in a press release. At that point, attackers could access such critical information as Social Security numbers, credit card numbers, salary data, and other employee data.

Access to PeopleSoft Campus Solutions in particular could even allow malicious students "to gain financial aid or be awarded and delete payment orders for their education to save money," the release continues.

Also quite serious, with a CVSS score of 9.9, is CVE-2017-10272, a memory disclosure vulnerability that attackers can exploit to remotely read the server's memory. The remaining three issues consist of a stack overflow bug (CVE-2017-10267), heap overflow vulnerability (CVE-2017-10278), and CVE-2017-10266, which ERPScan describes in a blog post as a "vulnerability that makes it possible for a malicious actor to brute-force passwords of DomainPWD, which is used for the Jolt Protocol authentication."

Versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2 of Tuxedo are affected by the vulnerabilities.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

US automaker subjected to FIN7 attack

BlackBerry researchers disclosed that a major U.S.-based multinational automaker had been targeted by the FIN7 hacking group in a spear-phishing attack late last year that sought to facilitate systems compromise with the Anunak malware, BleepingComputer reports.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.