[ISN] Security alert posted for PeopleSoft

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 02:47:54 PST

  • Next message: InfoSec News: "[ISN] Deloder worm targets weak passwords"

    By Alorie Gilbert 
    Staff Writer, CNET News.com
    March 10, 2003, 4:30 PM PT
    A serious security flaw in business management software from
    PeopleSoft leaves sensitive corporate data vulnerable to hackers, a
    computer security service firm warned Monday.
    The flaw, known as a remote command execution vulnerability, gives
    outsiders the ability to install malicious computer code on PeopleSoft
    customers' Web servers, potentially leading to a "complete compromise"  
    of their PeopleSoft business systems, according to Internet Security
    Systems (ISS), the Atlanta-based computer security company that issued
    the warning.
    "Compromise of PeopleSoft Web server installations may disclose
    critical confidential information and facilitate the compromise of
    PeopleSoft application and database back-end servers," stated the ISS
    Pleasanton, Calif.-based PeopleSoft supplies software designed to
    streamline accounting, human resources, sales and manufacturing
    activities to more than 5,000 companies around the world. The flaw
    affects only certain releases of PeopleSoft version 8, which the
    company began shipping in 2000. Nearly 2,000 companies have installed
    version 8, according to PeopleSoft spokesman Steve Swasey. He
    declined, however, to comment on how many of those customers could be
    affected by the vulnerability.
    The flawed software, which is configured to run by default, affects
    numerous versions of a core component of its applications called
    PeopleSoft Tools, including versions 8.4, 8.41 and 8.10 through 8.18.  
    Specifically, the problem pertains to a small Java program, known as a
    "servlet," that resides on PeopleSoft Web servers and can be used to
    upload files without any authentication. The purpose of the servlet,
    according to PeopleSoft, is to transfer business reports between
    servers using Internet protocols such as HTTP (hypertext transfer
    PeopleSoft released patches to correct the problem several weeks ago,
    Swasey said. The patches and details about the vulnerability are
    available on the company's private Web site for PeopleSoft customers
    as well as through ISS. PeopleSoft has yet to hear of any problems
    related to the security flaw, Swasey added. An ISS spokesman also said
    the flaw had not yet been exploited, as far as he knew.
    PeopleSoft touts version 8 of its applications as a major advancement
    of its technology because of its use of Internet protocols. PeopleSoft
    competitors SAP, Siebel Systems and Oracle have also released software
    designed to run over the Web.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 04:57:55 PST