- 1 Posts
- 112 Views
If you use PeopleSoft please read this from Oracle regarding the Jolt server within Tuxedo. This is a critical issue with a maximum CVSS score of 10.0 and may be exploited over a network without the need for a valid username and password.
This was released 2 days ago so it is possible these scripts have been running live on the internet scraping for information. If you have a public facing interface, I think it's even more important to perform an immediate risk analysis and consider taking it down.
To see how easy it is to grab usernames and passwords you can see the process automated in a few lines here, with a demo login subsequently exemplified using the server response. The programmer could scrape the information now and just come back later with the username and password.