SB20200114143 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools
Published: January 14, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2020-2687)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Elastic Search component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
2) Cryptographic issues (CVE-ID: CVE-2019-1547)
The vulnerability allows a remote attacker to decrypt traffic.
The vulnerability exists due to insufficient enforcement of side channel resistant code paths. A remote attacker with ability to create a large number of signatures, where explicit parameters with no co-factor is present, can force the application to fall back to non-side channel resistant code pathsduring ECDSA signature operation and perform full key recovery.
Successful exploitation of the vulnerability may allow an attacker to decrypt communication between server and client.
3) Improper input validation (CVE-ID: CVE-2020-2602)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Tree Manager component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
4) Improper input validation (CVE-ID: CVE-2020-2663)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
5) Improper input validation (CVE-ID: CVE-2020-2607)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
6) Improper input validation (CVE-ID: CVE-2020-2606)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
7) Improper input validation (CVE-ID: CVE-2020-2600)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Elastic Search component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
8) Improper input validation (CVE-ID: CVE-2020-2598)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Activity Guide component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
9) Memory corruption (CVE-ID: CVE-2017-1000376)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to memory management errors in implementation of various functions under multiple operating systems. A local or remote attacker can use the GNU_STACK executable to manipulate the heap/stack, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
10) Improper input validation (CVE-ID: CVE-2019-0227)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Core (Apache Axis) component in Oracle Communications Design Studio. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
11) Infinite loop (CVE-ID: CVE-2017-12626)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to infinite loops while parsing specially crafted WMF, EMF, MSG and macros and out of Memory exceptions while parsing specially crafted DOC, PPT and XLS. A remote attacker can cause the service to crash.
12) Deserialization of Untrusted Data (CVE-ID: CVE-2019-2729)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within XMLDecoder class. A remote non-authenticated attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
13) Improper input validation (CVE-ID: CVE-2017-15708)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Portal (Apache Commons) component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Remediation
Install update from vendor's website.