Organizations that have their PeopleSoft installations exposed to the internet should pay special attention to a remote code execution vulnerability patched on Tuesday as part of Oracle’s massive quarterly Critical Patch Update.
The flaw, CVE-2017-10366, allows an attacker to gain remote code execution on a server running PeopleSoft software. The flaw is in the core engine, researchers at ERPScan said, meaning that multiple flavors of PeopleSoft products could be affected.
The bug is one of 252 patched by Oracle and it was assigned a CVSS severity score of 9.8 out of 10. According to the Oracle advisory, an attacker could use a malicious Java serialized package to execute system commands remotely on the server.
“This vulnerability can be exploited by sending a HTTP request to the PeopleSoft service with a serialized JAVA object,” said Alexander Polyakov, CTO at ERPScan. “After unserialization, it can run any command on the server.
“Because this vulnerability was found in HTTP service it can be easily available via the internet if company exposes their PeopleSoft system to the Internet,” he added.
Polyakov said a Shodan scan conducted by ERPScan showed more than 1,000 PeopleSoft systems similarly exposed on the internet, including more than 200 belonging to government agencies and universities in the U.S.
Yesterday’s update stands out for the number of PeopleSoft fixes, 23, which includes 13 that can be exploited over the network without credentials. PeopleSoft, like SAP, Microsoft and other competitors, is business-critical software running sensitive tasks such as financial, supply chain, customer and partner management. According to ERPScan, there’s been a sharp spike in PeopleSoft patches issued by Oracle in 2017, which acquired PeopleSoft in 2004.
The high-water mark was the July Critical Patch Update which contained 30 PeopleSoft patches, up from 16 in April and seven in January. There were 76 updates for PeopleSoft this year, up from 44 in 2016 and 29 in 2015. In previous quarters there had been, with some exceptions, only single-figure numbers of PeopleSoft patches issued quarterly.
“After covering the most common ERP systems from SAP, researchers started to dive deeper into other systems and reveal that their security in some cases is even worse than SAP security,” Polyakov said. “At the same time, PeopleSoft systems store and process a lot of critical data which is subject to GDPR compliance, a hot topic this year.”
Twice this year, SAP has patched critical vulnerabilities in its HANA in-memory database offered as a cloud service. In March, researchers revealed that a series of vulnerabilities could be chained that would expose data stored in the system. In May, serious bugs in SAP’s point of sale solution and its Host agent were patched.
Yesterday’s Oracle update also included patches for high-risk bus in its Fusion middleware, Hospitality applications, E-Business Suite, MySQL database, communications applications and Java among hundreds of others.
Two vulnerabilities in Oracle Hospitality Reporting and Analytics were designated a maximum CVSS score of 10.0. Both were exploitable without authentication over HTTP and allow an attacker to access all of the reporting and analytics data running through the system.
This is the final Oracle CPU of 2017 and it was a record year as far as the number of vulnerabilities addressed. According to ERPScan, Oracle patched 1,119 bugs this year compared to 914 last year and 614 in 2015.