Oracle Issues Emergency Patches for ‘JoltandBleed’ Vulnerabilities

Oracle pushed out an emergency update for vulnerabilities dubbed ‘JoltandBleed’ affecting five of its products that rely on its proprietary Jolt protocol.

Oracle pushed out an emergency update for vulnerabilities affecting several of its products that rely on its proprietary Jolt protocol. The bugs were discovered by researchers at ERPScan who named the series of five vulnerabilities JoltandBleed.

The vulnerabilities are severe, with two of the bugs scoring 9.9 and 10 on the CVSS scale.  Products affected include Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well other product using the Tuxedo 2 application server.

Oracle’s Jolt protocol is used by the Tuxedo 2 application server. ERPScan calls the vulnerabilities JoltandBleed because of similarities between the 2014 vulnerability discovered in OpenSSL HeartBleed bug.

According to Oracle, the vulnerabilities “may be exploited over a network without the need for a valid username and password… Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches.” Oracle said customers need to “apply the updates provided by this security alert as soon as possible.”

Oracle made the patches available Tuesday for Oracle Fusion Middleware, which address all vulnerabilities. Oracle Tuxedo is a component of Oracle Fusion Middleware. ERPScan released its research on JoltandBleed Thursday in a paper released at the the DeepSec conference in Vienna, Austria.

ERPScan said the vulnerabilities open up affected products to attackers gaining full access to all data. It describes the vulnerabilities as such:

CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server (9.9 on CVSS scale)

CVE-2017-10267 is a vulneralility of stack overflows (7.5 on CVSS scale)

CVE-2017-10278 is a vulneralility of heap overflows (7.0 on CVSS scale)

CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to brute-force passwords of DomainPWD which is used for the Jolt Protocol authentication (5.3 on CVSS scale)

CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system. (10 on CVSS scale)

“This error is originated with that how Jolt Handler processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process,” researchers at ERPScan wrote.

Researchers said the underlying vulnerability was caused by a programmer that made a mistake in coding a function call that was responsible for packing data to transmit. “The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000,” they wrote.

“Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server,” ERPScan said.

This leads to the leakage of credentials when a user enters them through PeopleSoft system’s web interface, researchers said.

According to Oracle the (CVE-2017-10272) memory disclosure vulnerability is easy to exploit and allows a low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.

“While the vulnerability is in Oracle Tuxedo, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service of Oracle Tuxedo,” Oracle wrote regarding CVE-2017-10272.

Suggested articles