-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0201
      Multiple vulnerabilities have been identified in Oracle Tuxedo
                             20 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Tuxedo
                      Oracle Peoplesoft products
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Access Privileged Data -- Remote/Unauthenticated
                      Modify Arbitrary Files -- Remote/Unauthenticated
                      Create Arbitrary Files -- Remote/Unauthenticated
                      Denial of Service      -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-10278 CVE-2017-10272 CVE-2017-10269
                      CVE-2017-10267 CVE-2017-10266 
Member content until: Wednesday, December 20 2017

OVERVIEW

        Multiple severe (Including one with a CVSS of 10.0) vulnerabilities 
        have been identified in the Jolt Server within Oracle Tuxedo. As Oracle
        Peoplesoft products also use Oracle Tuxedo Oracle recommends patching 
        those also. [1]


IMPACT

        Oracle has provided the below information regarding the 
        vulnerabilities. [2]
        
        +----------------+------------------------------------------------------------+
        |      CVE#      |                        Description                         |
        +----------------+------------------------------------------------------------+
        |                | Vulnerability in the Oracle Tuxedo component of Oracle     |
        |                | Fusion Middleware (subcomponent: Core). Supported versions |
        |                | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2.   |
        |                | Easily exploitable vulnerability allows unauthenticated    |
        |                | attacker with network access via Jolt to compromise Oracle |
        | CVE-2017-10266 | Tuxedo. Successful attacks of this vulnerability can       |
        |                | result in unauthorized read access to a subset of Oracle   |
        |                | Tuxedo accessible data.                                    |
        |                |                                                            |
        |                | CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS   |
        |                | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (  |
        |                | legend) [Advisory]                                         |
        +----------------+------------------------------------------------------------+
        |                | Vulnerability in the Oracle Tuxedo component of Oracle     |
        |                | Fusion Middleware (subcomponent: Core). Supported versions |
        |                | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2.   |
        |                | Easily exploitable vulnerability allows unauthenticated    |
        |                | attacker with network access via Jolt to compromise Oracle |
        | CVE-2017-10267 | Tuxedo. Successful attacks of this vulnerability can       |
        |                | result in unauthorized access to critical data or complete |
        |                | access to all Oracle Tuxedo accessible data.               |
        |                |                                                            |
        |                | CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS   |
        |                | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (  |
        |                | legend) [Advisory]                                         |
        +----------------+------------------------------------------------------------+
        |                | Vulnerability in the Oracle Tuxedo component of Oracle     |
        |                | Fusion Middleware (subcomponent: Core). Supported versions |
        |                | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2.   |
        |                | Easily exploitable vulnerability allows unauthenticated    |
        |                | attacker with network access via Jolt to compromise Oracle |
        |                | Tuxedo. While the vulnerability is in Oracle Tuxedo,       |
        |                | attacks may significantly impact additional products.      |
        |                | Successful attacks of this vulnerability can result in     |
        | CVE-2017-10269 | unauthorized creation, deletion or modification access to  |
        |                | critical data or all Oracle Tuxedo accessible data as well |
        |                | as unauthorized access to critical data or complete access |
        |                | to all Oracle Tuxedo accessible data and unauthorized      |
        |                | ability to cause a partial denial of service (partial DOS) |
        |                | of Oracle Tuxedo.                                          |
        |                |                                                            |
        |                | CVSS v3.0 Base Score 10.0 (Confidentiality, Integrity and  |
        |                | Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/   |
        |                | PR:N/UI:N/S:C/C:H/I:H/A:L). (legend) [Advisory]            |
        +----------------+------------------------------------------------------------+
        |                | Vulnerability in the Oracle Tuxedo component of Oracle     |
        |                | Fusion Middleware (subcomponent: Core). Supported versions |
        |                | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2.   |
        |                | Easily exploitable vulnerability allows low privileged     |
        |                | attacker with network access via Jolt to compromise Oracle |
        |                | Tuxedo. While the vulnerability is in Oracle Tuxedo,       |
        |                | attacks may significantly impact additional products.      |
        |                | Successful attacks of this vulnerability can result in     |
        | CVE-2017-10272 | unauthorized creation, deletion or modification access to  |
        |                | critical data or all Oracle Tuxedo accessible data as well |
        |                | as unauthorized access to critical data or complete access |
        |                | to all Oracle Tuxedo accessible data and unauthorized      |
        |                | ability to cause a partial denial of service (partial DOS) |
        |                | of Oracle Tuxedo.                                          |
        |                |                                                            |
        |                | CVSS v3.0 Base Score 9.9 (Confidentiality, Integrity and   |
        |                | Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/   |
        |                | PR:L/UI:N/S:C/C:H/I:H/A:L). (legend) [Advisory]            |
        +----------------+------------------------------------------------------------+
        |                | Vulnerability in the Oracle Tuxedo component of Oracle     |
        |                | Fusion Middleware (subcomponent: Security). Supported      |
        |                | versions that are affected are 11.1.1, 12.1.1, 12.1.3 and  |
        |                | 12.2.2. Difficult to exploit vulnerability allows          |
        |                | unauthenticated attacker with network access via Jolt to   |
        |                | compromise Oracle Tuxedo. Successful attacks of this       |
        |                | vulnerability can result in unauthorized access to         |
        | CVE-2017-10278 | critical data or complete access to all Oracle Tuxedo      |
        |                | accessible data as well as unauthorized update, insert or  |
        |                | delete access to some of Oracle Tuxedo accessible data and |
        |                | unauthorized ability to cause a partial denial of service  |
        |                | (partial DOS) of Oracle Tuxedo.                            |
        |                |                                                            |
        |                | CVSS v3.0 Base Score 7.0 (Confidentiality, Integrity and   |
        |                | Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/   |
        |                | PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory]            |
        +----------------+------------------------------------------------------------+


MITIGATION

        Oracle has given the following comments regarding the patching of 
        these products:
        
        "Since Oracle PeopleSoft products include and use Oracle Tuxedo in their
        distributions, PeopleSoft customers should apply the Tuxedo patches
        referenced below." [1]
        
        "Due to the severity of these vulnerabilities, Oracle strongly 
        recommends that customers apply the updates provided by this Security
        Alert as soon as possible." [1]


REFERENCES

        [1] Oracle Security Alert Advisory - CVE-2017-10269
            http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-4021872.html

        [2] Text Form of Oracle Security Alert - CVE-2017-10269 Risk Matrices
            http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-verbose-4021892.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWhIvX4x+lLeg9Ub1AQiP/g//YBpjXwZVMtUDkRNJeGppK7TTiE5SLwRe
LPtm/OdGQF/wMYVKaxP22OH8xGpqN3gSOU6Pn0LhyM8sQ0g9G7SWHBUhLy1+nLTB
/m/YW/lR9Kcy+WRTCmEPZoB7nOoIrfd1oBufRKtxNIBvCfRmj89r2HQAoHz/PHV5
MCB+52xW4TScZS/mYNlEo25zJLtxJvMk5y6NDxPUhs4p71j0A/zxmFI0gUiEOIB2
qcMqbHsFreG/HnS/3JP4k1T9Od0xoH/Tr//QtO0f1gTsv0K0+FYZTJyKPcKZf1pp
+ZUV9sshUe6AkgPuQS1OU2d2tyjg76l1tyFFculOmXu1T5/KYpMd8tByVKFYejfs
XtulcKnimVcW+IYf0JmSe4NMkANySh3Dwgc8hHQjtZVwC+D22Si1sZRC3pDQixYo
QkEoUriianeZsN3cXcoRDwRmpYBmXQet2wG3oqawrqNM2hDijF/43eoRhhVooqi4
Vm0OCOtpKxoFpwdd2asq7x3sQIUM+o4s+qb2ngmh/a5kr9Xp/2cysSJ1FY44OBEC
A0KzZGUstn61XEzr/xh6pR+Hpk6BuKYr9HPdu9pw7CalzJsccyC9kBhfx1Nl7czV
0+/fO0t9giaz+i5HufFmCOKewIq358YsU5Nc5CnzU/P+uFOc4bvD+ByP/yBkpjrK
vX0pWxv4YrQ=
=/gp5
-----END PGP SIGNATURE-----