Closed critical vulnerability in the PeopleSoft kernel engine

Closed on Tuesday, October 17, a vulnerability with remote code execution as part of a large quarterly issue of Oracle’s critical patches has become an alarming call for businesses using PeopleSoft with open access from the Internet

This bug with CVE-2017-10366 allows an attacker to remotely execute code on a server running PeopleSoft software. Researchers from ERPScan found that the error lies in the kernel engine.
In other words, it can be present in various PeopleSoft products.

The error fell into the number of 252 gaps previously closed by Oracle, and was rated 9.8 points out of 10 possible on the CVSS scale. The security bulletin says that the bug gives the attacker the ability to remotely execute commands on the server through a maliciously serialized Java package.

“To take advantage of the vulnerability, you need to send the PeopleSoft service an HTTP request containing the serialized Java object,” said Alexander Polyakov, Technical Director of ERPScan. – After deserialization, it will be able to execute any commands on the server. ”

“Because the vulnerability is contained in the HTTP service, if the PeopleSoft system of the enterprise is accessible from the Internet, it is vulnerable to Internet attacks,” the expert added.
Scanning through the Shodan service conducted by Polyakov along with other ERPScan experts revealed more than 1,000 PeopleSoft systems with Internet access; 200 of them belong to US state institutions and universities.

The updates released on Tuesday are noteworthy for the number of bugs fixed in PeopleSoft products – a total of 23, while 13 of them can be exploited on the network without authorization. PeopleSoft Company competes with SAP, Microsoft and others in the field of business applications for performing important tasks: financial operations, supply chain management, interaction with customers and partners. According to ERPScan, in 2017 there has been a sharp increase in the number of patches for PeopleSoft software, which Oracle acquired in 2004.

The number of patches for PeopleSoft reached a record high during the July wave of critical patches from Oracle – 30 patches, while in April their number was 16, in January – only 7. This year Oracle jointly released 76 updates for PeopleSoft, in 2016 there were 44 of them, in 2015 – 29. The previous issues usually contained no more than ten patches for PeopleSoft solution.

“After examining the most common ERP-systems from SAP, researchers began to dig deeper into other systems and came to the conclusion that in places security is inferior even to SAP solutions,” Polyakov said. “In this case, PeopleSoft systems store and process a lot of critical data, which are subject to the” General Data Protection Regulations “of the EU (GDPR), which have become one of the main topics this year.”

Twice a year, SAP closed critical vulnerabilities in the cloud-based HANA based on in-memory technology. In March, experts discovered a number of vulnerabilities, using which you can access information in the database. In May, the company fixed serious bugs in SAP POS and Host Agent.

The new set of updates from Oracle also includes patches for Fusion Middleware, Hospitality Applications, E-Business Suite, MySQL DBMS, communication applications, Java and hundreds of other products.

Two vulnerabilities in Oracle Hospitality Reporting and Analytics were rated at a maximum of 10.0 points on the CVSS scale. Both gaps are exploited via HTTP and without authentication, allowing an attacker to gain access to all reports and analysis data passing through the system.

This is the latest in this year’s set of critical fixes from Oracle, which became a record for the number of closed vulnerabilities. According to ERPScan, the company-developer totaled 1164 bugs in this year, while in the past there were 914 of them, and in the previous year – 614.