Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0201 Multiple vulnerabilities have been identified in Oracle Tuxedo 20 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Tuxedo Oracle Peoplesoft products Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Create Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-10278 CVE-2017-10272 CVE-2017-10269 CVE-2017-10267 CVE-2017-10266 Member content until: Wednesday, December 20 2017 OVERVIEW Multiple severe (Including one with a CVSS of 10.0) vulnerabilities have been identified in the Jolt Server within Oracle Tuxedo. As Oracle Peoplesoft products also use Oracle Tuxedo Oracle recommends patching those also. [1] IMPACT Oracle has provided the below information regarding the vulnerabilities. [2] +----------------+------------------------------------------------------------+ | CVE# | Description | +----------------+------------------------------------------------------------+ | | Vulnerability in the Oracle Tuxedo component of Oracle | | | Fusion Middleware (subcomponent: Core). Supported versions | | | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. | | | Easily exploitable vulnerability allows unauthenticated | | | attacker with network access via Jolt to compromise Oracle | | CVE-2017-10266 | Tuxedo. Successful attacks of this vulnerability can | | | result in unauthorized read access to a subset of Oracle | | | Tuxedo accessible data. | | | | | | CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS | | | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). ( | | | legend) [Advisory] | +----------------+------------------------------------------------------------+ | | Vulnerability in the Oracle Tuxedo component of Oracle | | | Fusion Middleware (subcomponent: Core). Supported versions | | | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. | | | Easily exploitable vulnerability allows unauthenticated | | | attacker with network access via Jolt to compromise Oracle | | CVE-2017-10267 | Tuxedo. Successful attacks of this vulnerability can | | | result in unauthorized access to critical data or complete | | | access to all Oracle Tuxedo accessible data. | | | | | | CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS | | | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). ( | | | legend) [Advisory] | +----------------+------------------------------------------------------------+ | | Vulnerability in the Oracle Tuxedo component of Oracle | | | Fusion Middleware (subcomponent: Core). Supported versions | | | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. | | | Easily exploitable vulnerability allows unauthenticated | | | attacker with network access via Jolt to compromise Oracle | | | Tuxedo. While the vulnerability is in Oracle Tuxedo, | | | attacks may significantly impact additional products. | | | Successful attacks of this vulnerability can result in | | CVE-2017-10269 | unauthorized creation, deletion or modification access to | | | critical data or all Oracle Tuxedo accessible data as well | | | as unauthorized access to critical data or complete access | | | to all Oracle Tuxedo accessible data and unauthorized | | | ability to cause a partial denial of service (partial DOS) | | | of Oracle Tuxedo. | | | | | | CVSS v3.0 Base Score 10.0 (Confidentiality, Integrity and | | | Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/ | | | PR:N/UI:N/S:C/C:H/I:H/A:L). (legend) [Advisory] | +----------------+------------------------------------------------------------+ | | Vulnerability in the Oracle Tuxedo component of Oracle | | | Fusion Middleware (subcomponent: Core). Supported versions | | | that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. | | | Easily exploitable vulnerability allows low privileged | | | attacker with network access via Jolt to compromise Oracle | | | Tuxedo. While the vulnerability is in Oracle Tuxedo, | | | attacks may significantly impact additional products. | | | Successful attacks of this vulnerability can result in | | CVE-2017-10272 | unauthorized creation, deletion or modification access to | | | critical data or all Oracle Tuxedo accessible data as well | | | as unauthorized access to critical data or complete access | | | to all Oracle Tuxedo accessible data and unauthorized | | | ability to cause a partial denial of service (partial DOS) | | | of Oracle Tuxedo. | | | | | | CVSS v3.0 Base Score 9.9 (Confidentiality, Integrity and | | | Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/ | | | PR:L/UI:N/S:C/C:H/I:H/A:L). (legend) [Advisory] | +----------------+------------------------------------------------------------+ | | Vulnerability in the Oracle Tuxedo component of Oracle | | | Fusion Middleware (subcomponent: Security). Supported | | | versions that are affected are 11.1.1, 12.1.1, 12.1.3 and | | | 12.2.2. Difficult to exploit vulnerability allows | | | unauthenticated attacker with network access via Jolt to | | | compromise Oracle Tuxedo. Successful attacks of this | | | vulnerability can result in unauthorized access to | | CVE-2017-10278 | critical data or complete access to all Oracle Tuxedo | | | accessible data as well as unauthorized update, insert or | | | delete access to some of Oracle Tuxedo accessible data and | | | unauthorized ability to cause a partial denial of service | | | (partial DOS) of Oracle Tuxedo. | | | | | | CVSS v3.0 Base Score 7.0 (Confidentiality, Integrity and | | | Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/ | | | PR:N/UI:N/S:U/C:H/I:L/A:L). (legend) [Advisory] | +----------------+------------------------------------------------------------+ MITIGATION Oracle has given the following comments regarding the patching of these products: "Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches referenced below." [1] "Due to the severity of these vulnerabilities, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible." [1] REFERENCES [1] Oracle Security Alert Advisory - CVE-2017-10269 http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-4021872.html [2] Text Form of Oracle Security Alert - CVE-2017-10269 Risk Matrices http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-verbose-4021892.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWhIvX4x+lLeg9Ub1AQiP/g//YBpjXwZVMtUDkRNJeGppK7TTiE5SLwRe LPtm/OdGQF/wMYVKaxP22OH8xGpqN3gSOU6Pn0LhyM8sQ0g9G7SWHBUhLy1+nLTB /m/YW/lR9Kcy+WRTCmEPZoB7nOoIrfd1oBufRKtxNIBvCfRmj89r2HQAoHz/PHV5 MCB+52xW4TScZS/mYNlEo25zJLtxJvMk5y6NDxPUhs4p71j0A/zxmFI0gUiEOIB2 qcMqbHsFreG/HnS/3JP4k1T9Od0xoH/Tr//QtO0f1gTsv0K0+FYZTJyKPcKZf1pp +ZUV9sshUe6AkgPuQS1OU2d2tyjg76l1tyFFculOmXu1T5/KYpMd8tByVKFYejfs XtulcKnimVcW+IYf0JmSe4NMkANySh3Dwgc8hHQjtZVwC+D22Si1sZRC3pDQixYo QkEoUriianeZsN3cXcoRDwRmpYBmXQet2wG3oqawrqNM2hDijF/43eoRhhVooqi4 Vm0OCOtpKxoFpwdd2asq7x3sQIUM+o4s+qb2ngmh/a5kr9Xp/2cysSJ1FY44OBEC A0KzZGUstn61XEzr/xh6pR+Hpk6BuKYr9HPdu9pw7CalzJsccyC9kBhfx1Nl7czV 0+/fO0t9giaz+i5HufFmCOKewIq358YsU5Nc5CnzU/P+uFOc4bvD+ByP/yBkpjrK vX0pWxv4YrQ= =/gp5 -----END PGP SIGNATURE-----