Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Oracle Patches Critical Flaws in Jolt Server for Tuxedo

Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.

Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.

Oracle Tuxedo, a key component of Oracle Fusion Middleware, is an application server that helps users build and deploy enterprise applications developed in non-Java programming languages. Jolt provides a Java-based interface that extends the functionality of Tuxedo applications so that they can be accessed over the Internet or intranet using a web browser.

According to Oracle, a total of five vulnerabilities have been found in the Jolt Server component – the Jolt client is not impacted. The security holes affect Tuxedo versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2.

The most serious of the flaws, with a CVSS score of 10, is CVE-2017-10269, which allows an unauthenticated attacker with access to the network to easily take control of Tuxedo.

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo,” Oracle said.

Another critical vulnerability in Jolt Server is CVE-2017-10272. The flaw has a CVSS score of 9.9 and its impact is similar to the one of CVE-2017-10269. However, in order to exploit it, an attacker needs to have access to at least a low privileged account.

The company pointed out that these vulnerabilities may have significant impact on other products as well, not just Tuxedo. For example, Oracle PeopleSoft products also use Tuxedo, which means PeopleSoft customers are required to apply the patches as well.

The updates released by Oracle also resolve a high severity vulnerability that allows an unauthenticated attacker to gain access to critical data (CVE-2017-10267). Another high severity flaw, tracked as CVE-2017-10278, allows access to critical data as well, but it can also be exploited to modify data and cause a partial DoS condition in Tuxedo. On the other hand, the vendor said CVE-2017-10278 is difficult to exploit.

Advertisement. Scroll to continue reading.

The last vulnerability, CVE-2017-10266, has been classified as medium severity as it only gives access to a subset of Tuxedo data.

“Oracle strongly recommends affected Oracle Customers apply this Security Alert as soon as possible,” said Eric Maurice, director of security assurance at Oracle.

This is the second round of security patches released by Oracle since the company’s October Critical Patch Update (CPU). In late October, the company informed customers of an out-of-band update that fixed a critical vulnerability in Identity Manager, which is also part of the Fusion Middleware offering.

Related: Researchers Remotely Hijack Oracle OAM 10g Sessions

Related: Oracle Announces New Cloud Security Services

Related: Oracle Releases Patches for Exploited Apache Struts Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.