Oracle generally only issues security patches for its applications as part of a quarterly Critical Patch Update, but on Nov. 14 the company rushed out an emergency patch for five critical flaws in its Tuxedo application—which is included in PeopleSoft products—that could enable a hacker to abuse the Jolt protocol and could leave enterprises at risk.
Security firm ERPscan initially disclosed the issues privately to Oracle, but on Nov. 16 publicly provided the technical details of the flaw in a talk at the DeepSec conference in Vienna, Austria. ERPscan has dubbed the flaw “JoltandBleed” as a reference to the OpenSSL Heartbleed vulnerability that enabled a similar kind of leakage in encrypted Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic.
“This Security Alert addresses CVE-2017-10269 and four other vulnerabilities affecting the Jolt server within Oracle Tuxedo,” Oracle warned in its security advisory. “These vulnerabilities have a maximum CVSS score of 10.0 and may be exploited over a network without the need for a valid username and password.”
CVSS is the Common Vulnerability Scoring System that is used to rate the severity of a given flaw: 10.0 is the highest possible CVSS score and is only assigned to the most critical and impactful vulnerabilities.
The CVE-2017-10269 vulnerability is a flaw within the Jolt protocol implementation used in Oracle Tuxedo that could enable an attacker to gain full control of a vulnerable system. Oracle Tuxedo is used within multiple other platforms, most notably Oracle’s PeopleSoft enterprise software, which is widely used by large enterprises.
In a technical description of the CVE-2017-10269 vulnerability, ERPscan explained that the root of the vulnerability is how the Jolt handler process deals with an opscode 0x32 command. According to ERPscan, by manipulating the communication with the client, an attacker can achieve a stable flow of a server side and sensitive data leakage.
“Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server,” ERPscan warned. “It leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system.”
ERPscan founder and CTO Alexander Polyakov said that the flaws his firm discovered are dangerous and affect hundreds of Fortune 500 companies as well as government enterprises. That said, to date, he doesn’t have any evidence that the flaws have already been exploited in the wild by attackers. ERPscan was able to detect and identify the JoltandBleed vulnerabilities using its own research capabilities.
“We perform deep research of each component of ERP [enterprise resource management] systems from SAP and Oracle; this time we did analysis on the Jolt protocol,” Polyakov told eWEEK. “Our techniques included reverse engineering and fuzzing.”
Some of the issues were identified with new fuzz tools developed in ERPscan’s research department that leverage machine-learning techniques to make those tools smarter, he added.
The Tuxedo patches come nearly a month after Oracle released its regularly scheduled October Critical Patch Update on Oct. 17, which provided updates for 252 security vulnerabilities. As to why an out-of-band update was necessary for the Tuxedo flaws, Polyakov noted those flaws are remotely exploitable without authentication and there are plenty of PeopleSoft systems available via the internet.
Oracle users are urged to patch their systems as soon as possible as there are no workarounds to reduce the risk.
“Unfortunately, there is nothing that they can do as this issue was found in the core engine,” Polyakov said. “However, our products have attack signatures that can be exported to intrusion detection systems to detect and prevent potential attacks.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.