Oracle Patches Critical Flaws in Jolt Server for Tuxedo

Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.

Oracle Tuxedo, a key component of Oracle Fusion Middleware, is an application server that helps users build and deploy enterprise applications developed in non-Java programming languages. Jolt provides a Java-based interface that extends the functionality of Tuxedo applications so that they can be accessed over the Internet or intranet using a web browser.

According to Oracle, a total of five vulnerabilities have been found in the Jolt Server component – the Jolt client is not impacted. The security holes affect Tuxedo versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2.

The most serious of the flaws, with a CVSS score of 10, is CVE-2017-10269, which allows an unauthenticated attacker with access to the network to easily take control of Tuxedo.

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo,” Oracle said.

Another critical vulnerability in Jolt Server is CVE-2017-10272. The flaw has a CVSS score of 9.9 and its impact is similar to the one of CVE-2017-10269. However, in order to exploit it, an attacker needs to have access to at least a low privileged account.

The company pointed out that these vulnerabilities may have significant impact on other products as well, not just Tuxedo. For example, Oracle PeopleSoft products also use Tuxedo, which means PeopleSoft customers are required to apply the patches as well.

The updates released by Oracle also resolve a high severity vulnerability that allows an unauthenticated attacker to gain access to critical data (CVE-2017-10267). Another high severity flaw, tracked as CVE-2017-10278, allows access to critical data as well, but it can also be exploited to modify data and cause a partial DoS condition in Tuxedo. On the other hand, the vendor said CVE-2017-10278 is difficult to exploit.

The last vulnerability, CVE-2017-10266, has been classified as medium severity as it only gives access to a subset of Tuxedo data.

“Oracle strongly recommends affected Oracle Customers apply this Security Alert as soon as possible,” said Eric Maurice, director of security assurance at Oracle.

This is the second round of security patches released by Oracle since the company’s October Critical Patch Update (CPU). In late October, the company informed customers of an out-of-band update that fixed a critical vulnerability in Identity Manager, which is also part of the Fusion Middleware offering.

Related: Researchers Remotely Hijack Oracle OAM 10g Sessions

Related: Oracle Announces New Cloud Security Services

Related: Oracle Releases Patches for Exploited Apache Struts Flaw