Oracle has released an urgency security update to fix five security vulnerabilities, which one of them is rated 10 out of 10 on the CVSSv3 bug severity scoring system, and a second was rated 9.9 out of 10.
The five flaws include one called “JoltandBleed” by the security researchers because of its likeness to the HeartBleed vulnerability found in OpenSSL in 2014. JoltandBleed is a dangerous flaw that could expose whole business applications running on PeopleSoft platforms accessible from the public Internet.
According to new research by cyber-security firm ERPScan, more than 1,000 businesses have their PeopleSoft systems exposed to the Internet, including a number of colleges that use PeopleSoft Campus Solutions to handle student data.
According to ERPScan:
Oracle has released 5 patches addressing severe vulnerabilities identified by the ERPScan team. The most critical of them have the highest CVSS base score of 9.9 and even 10.0 and may be exploited over a network without the need for a valid username and password.
Oracle said that the (CVE-2017-10272) memory disclosure flaw is simple to exploit and enables a low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.
Oracle users are recommended to read the company’s most recent out-of-band security alerts and install the necessary updates.