Oracle PeopleSoft Enterprise PeopleTools Multiple Flaws Let Remote Users Access and Modify Data on the Target System
|
SecurityTracker Alert ID: 1037046 |
SecurityTracker URL: http://securitytracker.com/id/1037046
|
CVE Reference:
CVE-2015-7940, CVE-2016-5529, CVE-2016-5530, CVE-2016-5600, CVE-2016-8285, CVE-2016-8291, CVE-2016-8292, CVE-2016-8293, CVE-2016-8294, CVE-2016-8295, CVE-2016-8296
(Links to External Site)
|
Date: Oct 19 2016
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 8.54, 8.55
|
Description:
Multiple vulnerabilities were reported in Oracle PeopleSoft Products. A remote user can access and modify data on the target system.
A remote user can exploit a flaw in the PeopleSoft Enterprise PeopleTools Integration Broker component to access and partially modify data [CVE-2016-8293].
A remote user can exploit a flaw in the PeopleSoft Enterprise PeopleTools Mobile Application Platform component to access and partially modify data [CVE-2016-8291].
A remote authenticated user can exploit a flaw in the PeopleSoft Enterprise PeopleTools LDAP component to access and partially modify data [CVE-2016-8296].
A remote user can exploit a flaw in the PeopleSoft Enterprise PeopleTools Bouncy Castle Java component to access data [CVE-2015-7940].
A remote user can exploit a flaw in the PeopleSoft Enterprise PeopleTools Integration Broker component to partially access and partially modify data [CVE-2016-5529, CVE-2016-5530].
A remote authenticated user can exploit a flaw in the PeopleSoft Enterprise SCM Services Procurement Security component to partially access and partially modify data [CVE-2016-5600].
A remote authenticated user can exploit a flaw in the PeopleSoft Enterprise HCM Candidate Gateway component to access and partially modify data [CVE-2016-8285].
A remote authenticated user can exploit a flaw in the PeopleSoft Enterprise HCM Schedule component to partially access data [CVE-2016-8295].
A remote authenticated user can exploit a flaw in the PeopleSoft Enterprise PeopleTools Query component to partially access data [CVE-2016-8294].
A remote authenticated user can exploit a flaw in the PeopleSoft Enterprise HCM Talent Acquisition Manager component to partially access and partially modify data [CVE-2016-8292].
The following researchers reported these and other Oracle product vulnerabilities:
Abhishek Singh; Alejo Popovici; Alexander Kornbrust of Red Database Security; Amichai Shulman of Imperva, Inc.; Ariel Walter Garcia; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; bo13oy of Trend Micro's Zero Day Initiative;
Cezar Santos; David Litchfield of Google; Dawid Golunski; Denis Shpektorov; Devin Rosenbauer of Identity Works LLC; Felix Wilhelm; Hunter Liu of Huawei's IT Infrastructure & Security Dept, BPIT&QM; Jackson Thuraisamy of Security Compass;
Jacob Baines - Tenable Network Security (via Trend Micro's Zero Day Initiative); Jakub Palaczynski of ING Services Polska; John Page (hyp3rlinx); Jordan Milne; Mateusz Guzik; Matias Mevied of Onapsis; Matthias Kaiser of Code White;
Michael Miller of Integrigy; Okan Basegmez of DORASEC Consulting; Pete Finnigan; Peter Moody; Rahmat Nur Fauzi; Reno Robert; Rex Dale Stevens; Sahar Sabban of Intel; Suraj Khetani of Gulf Business Machines; Sven Blumenstein of Google; Tommy DeVoss of Evolution Security; Valentin Dornauer; and Vishnu Padmakumar.
|
Impact:
A remote user can obtain data on the target system.
A remote user can modify data on the target system.
|
Solution:
The vendor has issued a fix as part of the October 2016 Oracle Critical Patch Update.
The vendor's advisory is available at:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
|
Vendor URL: www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html (Links to External Site)
|
Cause:
Not specified
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|