Tuesday, November 30, 2021

Security flaws detected in PeopleSoft

A security flaw recently detected in enterprise software provider PeopleSoft Inc.’s PeopleTools application framework may allow unauthorized users remote access to sensitive data.

Internet Security Systems Inc.’s (ISS) X-Force organization reported Monday that on the “SchedulerTransfer” servlet located on the PeopleSoft Web server – used to transfer reports to and from the report repository when using HTTP or HTTPS – is accessible by attacker as a Java servlet.

ISS said attackers could exploit the vulnerability using a remote command execution and replace files with bogus “attacker-defined” data under the permissions of the Web server.

ISS added the attacked PeopleSoft Web server installations may disclose critical confidential information and possibly affect PeopleSoft Application and Database back-end servers. The affected PeopleSoft installations includes PeopleTools 8.10-8.18, PeopleTools 8.40 and 8.41, ISS said, adding it recommends PeopleSoft administrators should either block or restrict access to the offending servlet in question.

According to ISS, PeopleSoft has already repaired flaws in PeopleTools 8.19 and 8.42 and has patches available for implementations 8.18.06 and 8.41.05.

ISS can be found at www.iss.com.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

Related Tech News