Oracle issues emergency patches for JOLTANDBLEED flaws

JoltandBleed – Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.

Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.

The vulnerabilities were reported by experts at ERPScan who named the set of five vulnerabilities JoltandBleed.

The most critical flaw was rated with the highest CVSS base score of 9.9 and even 10.0, according to the experts it may be exploited over a network without the need for a valid username and password.

The JoltandBleed issues affect the Jolt server within Oracle Tuxedo that is used by numerous Oracle’s products, including Oracle PeopleSoft. An attacker can exploit the vulnerabilities to gain full access to all data stored in the following ERP systems:

Oracle PeopleSoft Campus Solutions
Oracle PeopleSoft Human Capital Management
Oracle PeopleSoft Financial Management
Oracle PeopleSoft Supply Chain Management, etc.

Below the complete list of the JoltandBleed vulnerabilities discovered by the expert:

CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
CVE-2017-10267 is a vulneralility of stack overflows.
CVE-2017-10278 is a vulneralility of heap overflows.
CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.

The flaw ties the way Jolt Handler (JSH) processes a command with opcode 0x32

“This error is originated with that how Jolt Handler processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process,” continues ERPScan.

Oracle made the patches available Tuesday for Oracle Fusion Middleware, which address all vulnerabilities.

The vulnerability was caused by a coding mistake in a function call that was responsible for packing data to transmit.

“The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000,” said ERPScan.

“Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server,”

The vulnerability causes the leakage of credentials when a user enters them through the web interface of PeopleSoft systems.

Technically, the flaw is a memory leakage vulnerability similar to HeartBleed so it can be used to retrieve a user password and other sensitive data.

“One of the possible attacks besides an obvious theft of employees data is for students to hack Campus Solutions and modify or delete payment orders for their education or gain financial aid. This attack as well as other details was demonstrated today at the DeepSec Security conference in Vienna.” said ErpScan.

Below the video PoC published by ErpScan:

According to Oracle the CVE-2017-10272 memory disclosure vulnerability is easy to exploit and allows a low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.

“Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerability allows low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.” wrote Oracle. “While the vulnerability is in Oracle Tuxedo, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – JoltandBleed, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.