Bird_banner_small4
Oracle Tuxedo Jolt Protocol CVE-2017-10278 Heap Buffer Overflow
TSL ID TSL20171117-03
CVE ID(s) CVE-2017-10278
Severity Critical
Description

A heap buffer vulnerability exists in Oracle's Tuxedo and PeopleSoft products. This vulnerability exists in the Jolt Server component of Tuxedo, which is included in several PeopleSoft products.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted packets to the target server. Successful exploitation will result in arbitrary code execution with the privileges of the server process.

Oracle has released an advisory and patches regarding these vulnerability:

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-4021872.html

Affected Products
  • Oracle PeopleSoft Products .
  • Oracle Tuxedo 11.1.1
  • Oracle Tuxedo 12.1.1
  • Oracle Tuxedo 12.1.3
  • Oracle Tuxedo 12.2.2
CVSS Score Base 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.5 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References https://erpscan.com/press-center/blog/peoplesoft-joltandbleed/
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-4021872.html
Related Threats