Oracle Issues Emergency Patch to Plug JoltandBleed Vulnerability

Although Oracle's next patch update wasn't scheduled until January, Big Red jumped the gun and issued a set of urgent security fixes on Tuesday.

The purpose was to fix five vulnerabilities, including one being called "JoltandBleed" because of its similarity to the HeartBleed vulnerability that affected OpenSSL in 2014, which caused something of a panic among Linux and open source users. The vulnerability affected all of Oracle's products using the Tuxedo application server, a list that includes Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management.

Details of the vulnerabilities were made public today at the DeepSec security conference in Vienna, Austria by researchers from managed security provider ERPScan, who said the vulnerabilities affect more than 6,000 organizations, with at least 1,000 of those users being exploitable over the internet. A total of five security issues were found in Tuxedo, with two of them having the highest CVSS ratings of 10.0 and 9.9.

The higher rated bug, JoltandBleed, can be used to gain unauthorized remote access to a system.

According to ERPScan, the vulnerability was evidently due to a coding error in which a "package length that must be 0x40 bytes is actually 0x40000000." By taking advantage of the much larger data size, an attacker can make a stable connection with the server.

"Technically, it is a memory leakage vulnerability similar to HeartBleed but in Jolt Protocol, a proprietary Oracle’s protocol, so it may be dubbed JoltandBleed," ERPScan said in a statement. "By sending a series of packets to HTTP port handled by Jolt service, it is possible to retrieve memory-containing session information, usernames and even passwords as it was demonstrated in the video."

Oracle issued the patches after being informed of the vulnerabilities by ERPScan.

"Due to the severity of these vulnerabilities, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," the company said in a security announcement.

The fact that the vulnerabilities affect PeopleSoft Campus Solutions is interesting as the platform is widely used in higher education for financial management and other purposes. At today's DeepSec conference, ERPScan demonstrated how the vulnerability could be used by students "to gain financial aid or be awarded and delete payment orders for their education to save money."