SB2022101973 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022101973

SB2022101973 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Published: October 19, 2022

Security Bulletin ID SB2022101973
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 57% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Missing Encryption of Sensitive Data (CVE-ID: CVE-2022-2097)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under specific circumstances OpenSSL does not encrypt the entire message and can reveal sixteen bytes of data that was preexisting in the memory that wasn't written. A remote attacker can gain access to potentially sensitive information.



2) Improper input validation (CVE-ID: CVE-2022-21602)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Portal component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


3) Improper input validation (CVE-ID: CVE-2022-39407)

The vulnerability allows a local authenticated user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in PeopleSoft Enterprise PeopleTools. A local authenticated user can exploit this vulnerability to gain access to sensitive information.


4) Creation of Temporary File With Insecure Permissions (CVE-ID: CVE-2022-24823)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.


5) Improper input validation (CVE-ID: CVE-2022-21639)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Elastic Search Integration component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


6) Resource exhaustion (CVE-ID: CVE-2021-22144)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncontrolled recursion issue in the Elasticsearch Grok parser. A remote authenticated attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


7) Deserialization of Untrusted Data (CVE-ID: CVE-2022-25647)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.


Remediation

Install update from vendor's website.

References