Application: Oracle PeopleSoft **Versions Affected:**PeopleTools 8.54, 8.55 Vendor:Oracle **Bugs:**File Upload **Reported:**27.03.2017 **Vendor response:**28.03.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Roman Shalymov (ERPScan)
Class: File Upload
Risk: High
Impact: Remote command execution on the server
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10061
CVSS Base Score v3: 8.3 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | Low (L) |
An attacker can upload arbitrary text files on the Oracle PeopleSoft HCM 9.2 system which can be leveraged to get remote command execution on the server (for example, the attacker can write his own public RSA key in ~/.ssh/authorized_keys file and get valid ssh session).
Oracle PeopleSoft HCM 9.2
Check upload content (add xml validation) before overwriting device_map.xml file in com.peoplesoft.pt.integrationgateway.service.Device_ID handler.