Warning issued over vulnerabilities in PeopleSoft

Organizations using Oracle PeopleSoft have been warned of a number of alleged vulnerabilities in the enterprise resource planning suite that could put business data at risk.

They were revealed last week at the Hack in the Box conference in Amsterdam by a researcher from ERPScan, a California company that specializes in security solutions for SAP applications, thought it also find vulnerabilities in ERP suites from other vendors.

In this case, according to a news report, the researcher said three architectural and configuration bugs could lead to big trouble if not patched.  The most critical weakness was found in the token generation process for single sign-on, the researcher said, which is hashed using the aging SHA-1 algorithm that can be broken using a $500 GPU card capable of cracking an eight-character alphanumeric password within a day. This issue has reportedly not been patched yet.

Another problem involves a weak authentication protocol that can allow a local user to escalate privileges and gain full access to the PeopleSoft application and database. This issue has been patched.

The third has to do with default credentials in PeopleSoft and its Weblogic application server. ERPScan has been told by Oracle that default passwords have been removed in new versions of the software.

The researcher says Oracle [Nasdaq: ORCL] told him the problems are only seen in demo software, but he disagrees. Not every implementation is vulnerable, he admits, but some in production are.

Read the full news report here and see what you think.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web