Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0043 Security Advisory: Oracle PeopleSoft Products 20 April 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle PeopleSoft Products Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-3577 CVE-2017-3571 CVE-2017-3570 CVE-2017-3548 CVE-2017-3547 CVE-2017-3546 CVE-2017-3536 CVE-2017-3527 CVE-2017-3525 CVE-2017-3524 CVE-2017-3522 CVE-2017-3521 CVE-2017-3520 CVE-2017-3519 CVE-2017-3502 CVE-2014-3596 Member content until: Friday, May 19 2017 Reference: ESB-2016.0456 ESB-2016.0127 ESB-2015.2791 ESB-2015.1317 ESB-2015.1014 OVERVIEW Multiple vulnerabilities have been identified in the following components of Oracle PeopleSoft Products: PeopleSoft Enterprise CS Campus Community, version(s) 9.2 PeopleSoft Enterprise FIN Receivables, version(s) 9.2 PeopleSoft Enterprise FSCM, version(s) 9.1 PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55 PeopleSoft Enterprise SCM eBill Payment, version(s) 9.2 PeopleSoft Enterprise SCM eSupplier Connection, version(s) 9.2 PeopleSoft Enterprise SCM Purchasing, version(s) 9.2 PeopleSoft Enterprise SCM Service Procurement, version(s) 9.2 PeopleSoft Enterprise SCM Strategic Sourcing, version(s) 9.2. [1] IMPACT The vendor has provided the following information: "CVE-2017-3519 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVE-2017-3547 7.4 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data. CVE-2017-3577 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Campus Community accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Campus Community accessible data. CVE-2017-3570 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FSCM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise FSCM accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise FSCM accessible data. CVE-2017-3520 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data. CVE-2017-3548 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVE-2017-3546 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVE-2014-3596 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVE-2017-3521 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM Purchasing accessible data. CVE-2017-3525 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Service Procurement. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise SCM Service Procurement accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM Service Procurement accessible data. CVE-2017-3524 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Strategic Sourcing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise SCM Strategic Sourcing accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM Strategic Sourcing accessible data. CVE-2017-3571 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM eBill Payment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise SCM eBill Payment accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM eBill Payment accessible data. CVE-2017-3522 6.5 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM eSupplier Connection. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise SCM eSupplier Connection accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM eSupplier Connection accessible data. CVE-2017-3502 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Receivables. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise FIN Receivables accessible data. CVE-2017-3527 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVE-2017-3536 4.6 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data." [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2017 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html [2] Text Form of Oracle Critical Patch Update - April 2017 Risk Matrices https://www.oracle.com/technetwork/topics/security/cpuapr2017verbose-3236619.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWPgb8ox+lLeg9Ub1AQisaxAAow+rClz1PX4Flt+tX2bblTtzNLFDzmpS CZNjLWTw3aKLk8uQ+Pz40YCJB0EdgiZVlGzKO8mw8sYWTQNhUIlA4kXvgqcmY5G4 mzuPh1tKKvoGcp3eQpxsunmTGqJqQfePsPvPVjkoFbXLGPVDdRY+qov9mgDL51JJ bnK/WCE5Q8PpV8EmUy92V9ZZWD++Uj1qIvitGVKJr52bxutMW3AVAYoMwWgUyTuJ U0uMiqyhA9UmCk66ftwr09CPQb8sIjsVXGcTHByCODHx5/6m6Fn8jz3fHp1ipfOI ddkXbbPXAdHU4e1yxsux9W4CejfudO+Sacdx+NReFF3d0Bi1+i6QAn+L/81MccYi 8BYunA06WwWdlxExE4/zkKzz2F9aME50VSucacdsh1TxibzUsqSEKGx7xdDBjI4J IfPoIUcXbz59tqk5E50fWDecMVSEaK1cj6KjGuuW8xqxeG+zB+i50mlDe1Uwn7da vwqVYJNYhVsheyVHoTzL2OAUg1isBiCFL8Lb2ivhA/zM6PQBz5YV5hj/2yyuR1kD qyHzh87So00Pmdo+s3Q+/0DsNfW8gFME82R83Ns6t+EGVs9T8Aye8yO5esb1OlcL 8MziV84zUpF1IiL+yQ/U8TvjOBExbLLPfObIQMBbdFqstcGe4gY4jJGiL+lqpCOP QNChWWmpJBY= =dhUr -----END PGP SIGNATURE-----