Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0073
Oracle PeopleSoft Critical Patch Update
21 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PeopleSoft Enterprise Products
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-2220 CVE-2021-2219 CVE-2021-2218
CVE-2021-2216 CVE-2021-2159 CVE-2021-2151
CVE-2020-28052 CVE-2020-27193 CVE-2020-11022
CVE-2020-8286 CVE-2020-1971 CVE-2019-10086
CVE-2017-1000061 CVE-2017-18640
Reference: ASB-2021.0069
ASB-2021.0066
ASB-2021.0026
ASB-2021.0020
ESB-2021.1114
ESB-2021.1066
ESB-2021.0909
OVERVIEW
Multiple vulnerabilities have been identified in :
o PeopleSoft Enterprise CS Campus Community, version 9.2
o PeopleSoft Enterprise FIN Common Application Objects, version
9.2
o PeopleSoft Enterprise FIN Expenses, version 9.2
o PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
o PeopleSoft Enterprise PT PeopleTools, versions 8.56, 8.57, 8.58
o PeopleSoft Enterprise SCM eProcurement, version 9.2
o PeopleSoft Enterprise SCM Purchasing, version 9.2
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 18 new security patches plus
additional third party patches noted below for Oracle PeopleSoft. 13
of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials." [1]
CVE-2021-2218
8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Supported versions that are affected are 8.56 and 8.57. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise PeopleSoft Enterprise PT
PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT
PeopleTools, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of PeopleSoft Enterprise PT
PeopleTools accessible data as well as unauthorized read access to a
subset of PeopleSoft Enterprise PT PeopleTools accessible data and
unauthorized ability to cause a partial denial of service (partial
DOS) of PeopleSoft Enterprise PT PeopleTools.
Affects:
o PeopleSoft Enterprise PT PeopleTools 8.56, 8.57
CVE-2020-28052
8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 8.56, 8.57 and 8.58.
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
takeover of PeopleSoft Enterprise PeopleTools.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2020-8286
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The supported version that is affected is 8.58. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful
attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all PeopleSoft
Enterprise PeopleTools accessible data.
Affects:
o PeopleSoft Enterprise PeopleTools 8.58
CVE-2017-18640
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise PeopleSoft Enterprise PT
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of PeopleSoft Enterprise PT PeopleTools.
Affects:
o PeopleSoft Enterprise PT PeopleTools 8.56, 8.57, 8.58
CVE-2021-2219
7.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows low privileged attacker with network
access via HTTP to compromise PeopleSoft Enterprise PeopleTools.
While the vulnerability is in PeopleSoft Enterprise PeopleTools,
attacks may significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of PeopleSoft Enterprise PeopleTools
accessible data as well as unauthorized read access to a subset of
PeopleSoft Enterprise PeopleTools accessible data and unauthorized
ability to cause a partial denial of service (partial DOS) of
PeopleSoft Enterprise PeopleTools.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2019-10086
7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise PeopleSoft Enterprise PT
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of PeopleSoft
Enterprise PT PeopleTools accessible data as well as unauthorized
read access to a subset of PeopleSoft Enterprise PT PeopleTools
accessible data and unauthorized ability to cause a partial denial of
service (partial DOS) of PeopleSoft Enterprise PT PeopleTools.
Affects:
o PeopleSoft Enterprise PT PeopleTools 8.56, 8.57, 8.58
CVE-2017-1000061
7.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows unauthenticated attacker with logon
to the infrastructure where PeopleSoft Enterprise PeopleTools
executes to compromise PeopleSoft Enterprise PeopleTools. Successful
attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all
PeopleSoft Enterprise PeopleTools accessible data and unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS)
of PeopleSoft Enterprise PeopleTools.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2021-2151
6.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows high privileged attacker with
network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all PeopleSoft Enterprise PeopleTools accessible data as well
as unauthorized read access to a subset of PeopleSoft Enterprise
PeopleTools accessible data and unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of PeopleSoft
Enterprise PeopleTools.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2020-11022
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The supported version that is affected is 9.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise PeopleSoft Enterprise FIN Common Application
Objects. Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in PeopleSoft
Enterprise FIN Common Application Objects, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized update, insert or delete access to some of
PeopleSoft Enterprise FIN Common Application Objects accessible data
as well as unauthorized read access to a subset of PeopleSoft
Enterprise FIN Common Application Objects accessible data.
Affects:
o PeopleSoft Enterprise FIN Common Application Objects 9.2
o PeopleSoft Enterprise FIN Expenses 9.2
o PeopleSoft Enterprise PT PeopleTools 8.56, 8.57, 8.58
o PeopleSoft Enterprise SCM eProcurement 9.2
o PeopleSoft Enterprise SCM Purchasing 9.2
CVE-2021-2216
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
PeopleSoft Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of
PeopleSoft Enterprise PeopleTools accessible data as well as
unauthorized read access to a subset of PeopleSoft Enterprise
PeopleTools accessible data.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2020-27193
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.56, 8.57 and 8.58. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
PeopleSoft Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of
PeopleSoft Enterprise PeopleTools accessible data as well as
unauthorized read access to a subset of PeopleSoft Enterprise
PeopleTools accessible data.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2020-1971
5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Supported versions that are affected are 8.56, 8.57 and 8.58.
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of PeopleSoft Enterprise PeopleTools.
Affects:
o PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
CVE-2021-2220
5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
The supported version that is affected is 9.2. Easily exploitable
vulnerability allows low privileged attacker with network access via
HTTP to compromise PeopleSoft Enterprise SCM eProcurement. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of PeopleSoft Enterprise SCM
eProcurement accessible data as well as unauthorized read access to a
subset of PeopleSoft Enterprise SCM eProcurement accessible data.
Affects:
o PeopleSoft Enterprise SCM eProcurement 9.2
CVE-2021-2159
3.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
The supported version that is affected is 9.2. Easily exploitable
vulnerability allows low privileged attacker with network access via
HTTP to compromise PeopleSoft Enterprise CS Campus Community.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of PeopleSoft Enterprise CS
Campus Community accessible data.
Affects:
o PeopleSoft Enterprise CS Campus Community 9.2
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2021
https://www.oracle.com/security-alerts/cpuapr2021.html
[2] Text Form of Oracle Critical Patch Update - April 2021 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2021verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYH+c7eNLKJtyKPYoAQiz2A/9F/7oRDwL1eMXZgkhfaOPnAubHes8cW9O
OTdh+zNO5UgLfrdkqjjrQ/bSyK9Y54LfPN7DYUcmNRXWUMA89bn7UTXdwwlWdjZ6
lFQOaY7N1SZL9Wd1NAxOLbWof2IgV+iDnmmlPm3sLby/VPKBBZnj/wF1oexQMTRx
W6/RNzgA5a38As0OPDN3dS9E95yd3SG8Zv7a2bBxBYriin07b3slBBvNr9yA4a03
glzR3CpKXJyzp1CcnswSZqISEKu4An+JPYTh5I9dMESfvAP9kPHFFKCmAeQ0C5nF
fD+wn2ALinKdR3ZCsQ1oH+fsk1bXdTCUFH22yU509dDXtwLLYxHsm3ZOLLnIKJtS
i2FsfhiDvQTWjRjVO8Er/Rd9PSX0UIFKUP5JV0HzO3lR5ljdOm9Xi+drsBo4xq3W
Rso2nkRKUGGHuqCgm2qddo08f+UcclKXEEgxvPK+sOw9TMf3mc2j1idIem7XEz3E
XNB5gTso2Vbd62055Pd/tnJ52vjxJHm33EKHhdyxleUNtp8ntncW80CRVXf0auYg
IKKlmFd6ohOAM1xDSIlNAaLk+yXAN6KyBHJab8F+CEKrFEhUeR/RhVDR4oTJq7Hv
6+vVaSsFzCoQp7IJiic2tjXh+6I4CvxknsRW0cy4WjfrNNEgp1PzPoiQuxsP4vDy
vb+W9gmtbYA=
=wpE/
-----END PGP SIGNATURE-----