Oracle issued a set of urgent security fixes on Tuesday that repair vulnerabilities revealed today by researchers from the managed security provider ERPScan at the DeepSec security conference in Vienna, Austria. The five vulnerabilities include one dubbed "JoltandBleed" by the researchers because of its similarity to the HeartBleed vulnerability discovered in OpenSSL in 2014. JoltandBleed is a serious vulnerability that could expose entire business applications running on PeopleSoft platforms accessible from the public Internet.

The products affected include Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well as any other product using the Tuxedo 2 application server. According to recent research by ERPScan, more than 1,000 enterprises have their PeopleSoft systems exposed to the Internet, including a number of universities that use PeopleSoft Campus Solutions to manage student data.

JoltandBleed is a memory leakage vulnerability in Oracle's proprietary Jolt protocol, used by the Tuxedo 2 application server. Crafted network packets sent to the HTTP port controlled by the Jolt service could potentially extract data from memory on the app server, including session information, user names, and passwords in plain text, as demonstrated in a video at the conference:

The bug was caused by a mistake by a developer or developers writing the server code for the Jolt protocol handler. "The confusion was between 2 functions, jtohi and htoji," the ERPScan researchers wrote in a description of the vulnerabilities. As a result, while the protocol expects a "package length" for data to be 0x40 bytes, it actually responds to requests with lengths of 0x40000000 bytes.

By using the much larger message size, an attacker can achieve a stable connection with the server that reads past the message area intended. "Initiating a mass of connections," the researchers wrote, "the hacker passively collects the internal memory of the Jolt server… it leads to the leakage of credentials when a user is entering them through the web interface of a PeopleSoft system."

The other vulnerabilities disclosed include other memory-based attacks, including heap and stack overflow attacks, as well as a brute-force attack against passwords. An advanced attack demonstrated by ERPScan researchers demonstrated how a student could theoretically attack PeopleSoft Campus Solutions to change finance records—granting themselves financial aid, altering tuition payments, or awarding themselves grants.