Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0176
Security Advisory: Oracle PeopleSoft Products
18 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle PeopleSoft Products
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-10426 CVE-2017-10422 CVE-2017-10418
CVE-2017-10406 CVE-2017-10394 CVE-2017-10382
CVE-2017-10381 CVE-2017-10373 CVE-2017-10368
CVE-2017-10366 CVE-2017-10364 CVE-2017-10362
CVE-2017-10354 CVE-2017-10351 CVE-2017-10338
CVE-2017-10335 CVE-2017-10327 CVE-2017-10306
CVE-2017-10304 CVE-2017-10287 CVE-2017-10280
CVE-2017-10164 CVE-2017-10158
Member content until: Friday, November 17 2017
OVERVIEW
Multiple vulnerabilities have been identified in
PeopleSoft Enterprise FSCM, version 9.2
PeopleSoft Enterprise HCM, version 9.2
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55,
8.56
PeopleSoft Enterprise PRTL Interaction Hub, version
9.1.00
PeopleSoft Enterprise PT PeopleTools, versions 8.54,
8.55, 8.56
PeopleSoft Enterprise SCM eProcurement, versions 9.1.00,
9.2.00
[1]
IMPACT
The vendor has provided the following information regarding
to the vulnerabilities:
"This Critical Patch Update contains 23 new security fixes
for Oracle PeopleSoft Products. 13 of these
vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network
without requiring user credentials."
[1]
"CVE-2017-10366
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PT PeopleTools. Successful
attacks of this vulnerability can result in takeover of
PeopleSoft Enterprise PT PeopleTools.
CVE-2017-10338
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
The supported version that is affected is 9.1.00. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft
Enterprise PRTL Interaction Hub. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in PeopleSoft Enterprise PRTL
Interaction Hub, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all PeopleSoft Enterprise PRTL Interaction Hub
accessible data as well as unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PRTL
Interaction Hub accessible data.
CVE-2017-10354
8.2
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
The supported version that is affected is 9.1.00. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft
Enterprise PRTL Interaction Hub. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in PeopleSoft Enterprise PRTL
Interaction Hub, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all PeopleSoft Enterprise PRTL Interaction Hub
accessible data as well as unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PRTL
Interaction Hub accessible data.
CVE-2017-10364
8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise
PeopleSoft Enterprise PeopleTools. Successful attacks of
this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all
PeopleSoft Enterprise PeopleTools accessible data as well as
unauthorized access to critical data or complete access to
all PeopleSoft Enterprise PeopleTools accessible data.
CVE-2017-10335
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 8.55 and 8.56.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
PeopleSoft Enterprise PT PeopleTools. Successful attacks of
this vulnerability can result in unauthorized access to
critical data or complete access to all PeopleSoft
Enterprise PT PeopleTools accessible data.
CVE-2017-10373
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 8.55 and 8.56.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
PeopleSoft Enterprise PT PeopleTools. Successful attacks of
this vulnerability can result in unauthorized access to
critical data or complete access to all PeopleSoft
Enterprise PT PeopleTools accessible data.
CVE-2017-10362
7.2
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PeopleTools. While the
vulnerability is in PeopleSoft Enterprise PeopleTools,
attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in
unauthorized read access to a subset of PeopleSoft
Enterprise PeopleTools accessible data and unauthorized
ability to cause a partial denial of service (partial DOS)
of PeopleSoft Enterprise PeopleTools.
CVE-2017-10280
6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise
PeopleSoft Enterprise PeopleTools. Successful attacks of
this vulnerability can result in unauthorized access to
critical data or complete access to all PeopleSoft
Enterprise PeopleTools accessible data.
CVE-2017-10418
6.4
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
The supported version that is affected is 8.56. Easily
exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise PeopleSoft
Enterprise PT PeopleTools. While the vulnerability is in
PeopleSoft Enterprise PT PeopleTools, attacks may
significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of PeopleSoft
Enterprise PT PeopleTools accessible data as well as
unauthorized read access to a subset of PeopleSoft
Enterprise PT PeopleTools accessible data.
CVE-2017-10351
6.2
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where PeopleSoft Enterprise PT PeopleTools executes to
compromise PeopleSoft Enterprise PT PeopleTools. Successful
attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all PeopleSoft
Enterprise PT PeopleTools accessible data.
CVE-2017-10158
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PeopleTools. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in PeopleSoft
Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PeopleTools
accessible data as well as unauthorized read access to a
subset of PeopleSoft Enterprise PeopleTools accessible data.
CVE-2017-10381
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PeopleTools. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in PeopleSoft
Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PeopleTools
accessible data as well as unauthorized read access to a
subset of PeopleSoft Enterprise PeopleTools accessible data.
CVE-2017-10406
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PeopleTools. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in PeopleSoft
Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PeopleTools
accessible data as well as unauthorized read access to a
subset of PeopleSoft Enterprise PeopleTools accessible data.
CVE-2017-10327
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PeopleTools. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in PeopleSoft
Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PeopleTools
accessible data as well as unauthorized read access to a
subset of PeopleSoft Enterprise PeopleTools accessible data.
CVE-2017-10368
6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 9.1.00 and 9.2.00.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
PeopleSoft Enterprise SCM eProcurement. Successful attacks
require human interaction from a person other than the
attacker and while the vulnerability is in PeopleSoft
Enterprise SCM eProcurement, attacks may significantly
impact additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of PeopleSoft Enterprise SCM
eProcurement accessible data as well as unauthorized read
access to a subset of PeopleSoft Enterprise SCM eProcurement
accessible data.
CVE-2017-10422
5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 8.54. Difficult to
exploit vulnerability allows unauthenticated attacker with
network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete
access to all PeopleSoft Enterprise PeopleTools accessible
data.
CVE-2017-10304
5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
The supported version that is affected is 9.2. Easily
exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise PeopleSoft
Enterprise HCM. Successful attacks require human
interaction from a person other than the attacker and while
the vulnerability is in PeopleSoft Enterprise HCM, attacks
may significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of PeopleSoft
Enterprise HCM accessible data as well as unauthorized read
access to a subset of PeopleSoft Enterprise HCM accessible
data.
CVE-2017-10394
5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows low privileged
attacker with network access via HTTP to compromise
PeopleSoft Enterprise PeopleTools. Successful attacks of
this vulnerability can result in unauthorized update,
insert or delete access to some of PeopleSoft Enterprise
PeopleTools accessible data and unauthorized ability to
cause a partial denial of service (partial DOS) of
PeopleSoft Enterprise PeopleTools.
CVE-2017-10382
4.7
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Supported versions that are affected are 8.54, 8.55 and
8.56. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise PeopleSoft Enterprise PeopleTools. Successful
attacks require human interaction from a person other than
the attacker and while the vulnerability is in PeopleSoft
Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this
vulnerability can result in unauthorized update, insert or
delete access to some of PeopleSoft Enterprise PeopleTools
accessible data.
CVE-2017-10306
4.6
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
The supported version that is affected is 9.2. Easily
exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise PeopleSoft
Enterprise HCM. Successful attacks require human
interaction from a person other than the attacker.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
PeopleSoft Enterprise HCM accessible data as well as
unauthorized read access to a subset of PeopleSoft
Enterprise HCM accessible data.
CVE-2017-10164
4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
The supported version that is affected is 9.2. Easily
exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise PeopleSoft
Enterprise FSCM. Successful attacks of this vulnerability
can result in unauthorized read access to a subset of
PeopleSoft Enterprise FSCM accessible data.
CVE-2017-10287
4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
The supported version that is affected is 9.2. Easily
exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise PeopleSoft
Enterprise FSCM. Successful attacks of this vulnerability
can result in unauthorized read access to a subset of
PeopleSoft Enterprise FSCM accessible data.
CVE-2017-10426
2.7
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
The supported version that is affected is 9.2. Easily
exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft
Enterprise FSCM. Successful attacks of this vulnerability
can result in unauthorized read access to a subset of
PeopleSoft Enterprise FSCM accessible data."
[2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - October 2017
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
[2] Text Form of Oracle Critical Patch Update - October 2017 Risk
Matrices
http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWebatox+lLeg9Ub1AQhhmA//bGWepxeD5FfWEuR7qTXLx3+xZ3w0PZkf
1TlwETYzMUUGalfPfe5Bhr2WPcQVGPA9G/vevDbV4ovOjt9CiO0H7PsGzcy4lvcy
zGkBPCv/MLFL+4Spv9Ws8vyewCj58F+f5XbQng1ZgQNwjJCtpJXqIR6qoFIZU36T
sdQjSvTGdf2YkZPLDsXAcoJmAmWCSetdPWsf4Ri+utuzEl7vFcoeoip/xcpj+IC6
ZGY4se1ic1wUHrBxOcecf8ERYdlcDgya+M9LpoRDGVJA6JkXYbMJtVrxkeG9xIv2
ncEW7vVvf0Wk0GzJE6V69/2QUp53Fw4mjw/WmoUOTnSAdVCWcCgHbqzTZN1Brzg9
rmoe4P8rsF5Qc0blo7ZsGrsj5l0oX96s9pYKK4fRu4hXbh3h4/xFpiHRwYzYAYst
YB4rk2xkEotUwNORLaAh+XfghIC+EAfCCM/qSj6DQDB9Sgdqcls3H+jRIMgv9eGn
XMDg9ByfT77XyXjihozLXsOLFpwsxuWBdg8MRjWxRWZ2N7YWcAr3z66hsR7chZ47
lvE9L3fghxPGAz46Zu+KvZ11d7uHSoY8taeeUOlseADolK8FFooV+9grDt5he6HU
+Ijcopgw+OGOofz+EvUJgDNbLRuknkSGsc3z0GE7GOZHYs3naTdIa8JllMy9Ia+z
PO35ecfF5Bs=
=KfRM
-----END PGP SIGNATURE-----