Security flaws detected in PeopleSoft

A security flaw recently detected in enterprise software provider PeopleSoft Inc.’s PeopleTools application framework may allow unauthorized users remote access to sensitive data.

Internet Security Systems Inc.’s (ISS) X-Force organization reported Monday that on the “SchedulerTransfer” servlet located on the PeopleSoft Web server – used to transfer reports to and from the report repository when using HTTP or HTTPS – is accessible by attacker as a Java servlet.

ISS said attackers could exploit the vulnerability using a remote command execution and replace files with bogus “attacker-defined” data under the permissions of the Web server.

ISS added the attacked PeopleSoft Web server installations may disclose critical confidential information and possibly affect PeopleSoft Application and Database back-end servers. The affected PeopleSoft installations includes PeopleTools 8.10-8.18, PeopleTools 8.40 and 8.41, ISS said, adding it recommends PeopleSoft administrators should either block or restrict access to the offending servlet in question.

According to ISS, PeopleSoft has already repaired flaws in PeopleTools 8.19 and 8.42 and has patches available for implementations 8.18.06 and 8.41.05.

ISS can be found at