JOLTandBLEED

Oracle has issued an out-of-band emergency security update to address five vulnerabilities, among which one is rated 10 out of 10 on the CVSSv3 bug severity scale, and a second was rated 9.9 out of 10.

These most recent issues affect the Jolt server protocol that's part of the Tuxedo (Transactions for Unix, Extended for Distributed Operations) component, the core of many of Oracle's middleware products.

JOLTandBLEED similar to Heartbleed... but for Oracle products

The five bugs came to light after prodding by cyber-security firm ERPScan. The company refers to them collectively under the name of JOLTandBLEED because some of the bugs have the same consequences as the infamous Heartbleed vulnerability.

An attacker exploiting JOLTandBLEED can expose data that is being processed inside the memory of Tuxedo-based apps, leading to leaks of sensitive information over time.

Oracle and ERPScan say JOLTandBLEED has been confirmed to affect Oracle's PeopleSoft line of products, such as Campus Solutions, PeopleSoft Human Capital Management, PeopleSoft Financial Management, PeopleSoft Supply Chain Management, and others.

One vulnerability gets a perfect 10

The most severe of the issues are CVE-2017-10269 (10/10 severity score) and CVE-2017-10272 (9.9/10 severity score).

CVE-2017-10269, in particular, can be exploited over the network without the attacker needing a password to interact with vulnerable applications. The bug gives an attacker complete control over an entire PeopleSoft system.

On the other hand, CVE-2017-10272 gives an attacker a chance to remotely read the memory of vulnerable Tuxedo servers.

The other three vulnerabilities part of JOLTandBLEED are CVE-2017-10266 ( a flaw that allows brute-forcing of DomainPWD, used for Jolt protocol authentication), CVE-2017-10267 (stack overflow), and CVE-2017-10278 (heap overflow).

ERPScan has released the following video showcasing the company's experts exploiting CVE-2017-10272.

This is not the first bug with a 10 out of 10 score on the CVSS severity scale that Oracle patched this month.

In a previous out-of-band emergency fix, the company patched CVE-2017-10151, a no-password admin account that was left on Oracle Identity Manager (OIM), a user management solution that allows enterprises to control what parts of their network employees can access.

On October 16, Oracle released the October 2017 Critical Patch Update (CPU) trimestrial update train. The company fixed 252 bugs.

CVE-2017-10151 and the JOLTandBLEED flaws were not one of them. Users employing Oracle products are advised to read the company's most recent out-of-band security alerts [1, 2] and apply the necessary updates and install the October 2017 CPU if they haven't done so already.

Related Articles:

22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

PuTTY SSH client flaw allows recovery of cryptographic private keys

Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks

Telegram fixes Windows app zero-day used to launch Python scripts

Intel and Lenovo servers impacted by 6-year-old BMC flaw