Introduction:
Oracle pushed out an emergency update for vulnerabilities dubbed ‘JoltandBleed’ affecting five of its products that rely on its proprietary Jolt protocol. Two vulnerabilities (CVE-2017-10272 and CVE-2017-10269) discovered were severe and attackers can exploit these vulnerabilities without the need of valid credentials. This will allow an attacker to gain full access to all data stored in the ERP systems of Oracle products. Vulnerability exists in the Oracle Tuxedo component of Oracle Fusion Middleware products. Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2.
Affected Products:
Oracle Tuxedo
Oracle PeopleSoft Campus Solutions
Oracle PeopleSoft Human Capital Management
Oracle PeopleSoft Financial Management
Oracle PeopleSoft Supply Chain Management
Vulnerabilities:
The JoltandBleed is a memory leakage vulnerability in Oracle’s proprietary Jolt protocol, used by the Tuxedo 2 application server. An attacker can exploit these vulnerabilities by sending crafted packets to the Jolt service and potentially extract data from memory including username and password in plain text.
The Oracle Security Alert contains 5 new security fixes for Oracle Fusion Middleware. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Below are the complete list of the vulnerabilities fixed by the Oracle:
CVE-2017-10272: is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
CVE-2017-10267: is a vulneralility of stack overflows.
CVE-2017-10278: is a vulneralility of heap overflows.
CVE-2017-10266: is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
CVE-2017-10269: is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.
A video demonstration of the JoltandBleed attack has been released.
Mitigation:
Oracle users are urged to patch their systems as soon as possible as there are no workarounds to reduce the risk. Customers can use “QID#45287 Oracle PeopleSoft Web Interface Detected” and QID#370663 Oracle Tuxedo and PeopleSoft Multiple Vulnerabilities to identify the vulnerable assets in their environment. We are still investigating these vulnerabilities and will update the post as Qualys adds more signatures to detect these vulnerabilities. Please continue to follow ThreatProtect for more coverage on this vulnerability.