Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0043
Security Advisory: Oracle PeopleSoft Products
20 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle PeopleSoft Products
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3577 CVE-2017-3571 CVE-2017-3570
CVE-2017-3548 CVE-2017-3547 CVE-2017-3546
CVE-2017-3536 CVE-2017-3527 CVE-2017-3525
CVE-2017-3524 CVE-2017-3522 CVE-2017-3521
CVE-2017-3520 CVE-2017-3519 CVE-2017-3502
CVE-2014-3596
Member content until: Friday, May 19 2017
Reference: ESB-2016.0456
ESB-2016.0127
ESB-2015.2791
ESB-2015.1317
ESB-2015.1014
OVERVIEW
Multiple vulnerabilities have been identified in the following
components of Oracle PeopleSoft Products:
PeopleSoft Enterprise CS Campus Community, version(s) 9.2
PeopleSoft Enterprise FIN Receivables, version(s) 9.2
PeopleSoft Enterprise FSCM, version(s) 9.1
PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
PeopleSoft Enterprise SCM eBill Payment, version(s) 9.2
PeopleSoft Enterprise SCM eSupplier Connection, version(s) 9.2
PeopleSoft Enterprise SCM Purchasing, version(s) 9.2
PeopleSoft Enterprise SCM Service Procurement, version(s) 9.2
PeopleSoft Enterprise SCM Strategic Sourcing, version(s) 9.2. [1]
IMPACT
The vendor has provided the following information:
"CVE-2017-3519 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all
PeopleSoft Enterprise PeopleTools accessible data.
CVE-2017-3547 7.4 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
PeopleSoft Enterprise PeopleTools, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all PeopleSoft Enterprise PeopleTools accessible
data.
CVE-2017-3577 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise CS
Campus Community. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all PeopleSoft Enterprise CS Campus Community
accessible data as well as unauthorized access to critical data or
complete access to all PeopleSoft Enterprise CS Campus Community
accessible data.
CVE-2017-3570 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise
FSCM. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all PeopleSoft Enterprise FSCM accessible data as well as
unauthorized access to critical data or complete access to all
PeopleSoft Enterprise FSCM accessible data.
CVE-2017-3520 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all PeopleSoft Enterprise
PeopleTools accessible data.
CVE-2017-3548 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of PeopleSoft Enterprise
PeopleTools accessible data and unauthorized ability to cause a
partial denial of service (partial DOS) of PeopleSoft Enterprise
PeopleTools.
CVE-2017-3546 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of PeopleSoft
Enterprise PeopleTools accessible data as well as unauthorized read
access to a subset of PeopleSoft Enterprise PeopleTools accessible
data.
CVE-2014-3596 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of PeopleSoft
Enterprise PeopleTools accessible data as well as unauthorized read
access to a subset of PeopleSoft Enterprise PeopleTools accessible
data.
CVE-2017-3521 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise SCM
Purchasing. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all PeopleSoft Enterprise SCM Purchasing accessible data as
well as unauthorized access to critical data or complete access to
all PeopleSoft Enterprise SCM Purchasing accessible data.
CVE-2017-3525 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise SCM
Service Procurement. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all PeopleSoft Enterprise SCM Service Procurement
accessible data as well as unauthorized access to critical data or
complete access to all PeopleSoft Enterprise SCM Service Procurement
accessible data.
CVE-2017-3524 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise SCM
Strategic Sourcing. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all PeopleSoft Enterprise SCM Strategic Sourcing
accessible data as well as unauthorized access to critical data or
complete access to all PeopleSoft Enterprise SCM Strategic Sourcing
accessible data.
CVE-2017-3571 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise SCM
eBill Payment. Successful attacks of this vulnerability can result
in unauthorized creation, deletion or modification access to
critical data or all PeopleSoft Enterprise SCM eBill Payment
accessible data as well as unauthorized access to critical data or
complete access to all PeopleSoft Enterprise SCM eBill Payment
accessible data.
CVE-2017-3522 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Easily exploitable vulnerability allows high privileged attacker
with network access via HTTP to compromise PeopleSoft Enterprise SCM
eSupplier Connection. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all PeopleSoft Enterprise SCM eSupplier Connection
accessible data as well as unauthorized access to critical data or
complete access to all PeopleSoft Enterprise SCM eSupplier
Connection accessible data.
CVE-2017-3502 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise FIN
Receivables. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of PeopleSoft
Enterprise FIN Receivables accessible data.
CVE-2017-3527 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Easily exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of PeopleSoft Enterprise
PeopleTools accessible data.
CVE-2017-3536 4.6 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise PeopleSoft Enterprise
PeopleTools. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete
access to some of PeopleSoft Enterprise PeopleTools accessible data
as well as unauthorized read access to a subset of PeopleSoft
Enterprise PeopleTools accessible data." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as
possible. Until you apply the CPU fixes, it may be possible to
reduce the risk of successful attack by blocking network protocols
required by an attack. For attacks that require certain privileges
or access to certain packages, removing the privileges or the
ability to access the packages from users that do not need the
privileges may help reduce the risk of successful attack. Both
approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems.
Neither approach should be considered a long-term solution as
neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2017
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
[2] Text Form of Oracle Critical Patch Update - April 2017 Risk
Matrices
https://www.oracle.com/technetwork/topics/security/cpuapr2017verbose-3236619.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWPgb8ox+lLeg9Ub1AQisaxAAow+rClz1PX4Flt+tX2bblTtzNLFDzmpS
CZNjLWTw3aKLk8uQ+Pz40YCJB0EdgiZVlGzKO8mw8sYWTQNhUIlA4kXvgqcmY5G4
mzuPh1tKKvoGcp3eQpxsunmTGqJqQfePsPvPVjkoFbXLGPVDdRY+qov9mgDL51JJ
bnK/WCE5Q8PpV8EmUy92V9ZZWD++Uj1qIvitGVKJr52bxutMW3AVAYoMwWgUyTuJ
U0uMiqyhA9UmCk66ftwr09CPQb8sIjsVXGcTHByCODHx5/6m6Fn8jz3fHp1ipfOI
ddkXbbPXAdHU4e1yxsux9W4CejfudO+Sacdx+NReFF3d0Bi1+i6QAn+L/81MccYi
8BYunA06WwWdlxExE4/zkKzz2F9aME50VSucacdsh1TxibzUsqSEKGx7xdDBjI4J
IfPoIUcXbz59tqk5E50fWDecMVSEaK1cj6KjGuuW8xqxeG+zB+i50mlDe1Uwn7da
vwqVYJNYhVsheyVHoTzL2OAUg1isBiCFL8Lb2ivhA/zM6PQBz5YV5hj/2yyuR1kD
qyHzh87So00Pmdo+s3Q+/0DsNfW8gFME82R83Ns6t+EGVs9T8Aye8yO5esb1OlcL
8MziV84zUpF1IiL+yQ/U8TvjOBExbLLPfObIQMBbdFqstcGe4gY4jJGiL+lqpCOP
QNChWWmpJBY=
=dhUr
-----END PGP SIGNATURE-----