SB2021012078 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021012078

SB2021012078 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Published: January 20, 2021

Security Bulletin ID SB2021012078
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 60% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Raccoon attack (CVE-ID: CVE-2020-1968)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a timing flaw in the TLS specification. A remote attacker can compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite and eavesdrop on all encrypted communications sent over that TLS connection.

Note: The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections.


2) Improper input validation (CVE-ID: CVE-2020-9281)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Oracle Application Express in Oracle Database Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.


3) Improper input validation (CVE-ID: CVE-2021-2043)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Portal component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


4) Improper input validation (CVE-ID: CVE-2021-2071)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Elastic Search component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


5) Improper input validation (CVE-ID: CVE-2021-2063)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Portal component in PeopleSoft Enterprise PeopleTools. A local non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References