Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Oracle Patches Critical Flaws in Jolt Server for Tuxedo

Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.

Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.

Oracle Tuxedo, a key component of Oracle Fusion Middleware, is an application server that helps users build and deploy enterprise applications developed in non-Java programming languages. Jolt provides a Java-based interface that extends the functionality of Tuxedo applications so that they can be accessed over the Internet or intranet using a web browser.

According to Oracle, a total of five vulnerabilities have been found in the Jolt Server component – the Jolt client is not impacted. The security holes affect Tuxedo versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2.

The most serious of the flaws, with a CVSS score of 10, is CVE-2017-10269, which allows an unauthenticated attacker with access to the network to easily take control of Tuxedo.

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo,” Oracle said.

Another critical vulnerability in Jolt Server is CVE-2017-10272. The flaw has a CVSS score of 9.9 and its impact is similar to the one of CVE-2017-10269. However, in order to exploit it, an attacker needs to have access to at least a low privileged account.

The company pointed out that these vulnerabilities may have significant impact on other products as well, not just Tuxedo. For example, Oracle PeopleSoft products also use Tuxedo, which means PeopleSoft customers are required to apply the patches as well.

The updates released by Oracle also resolve a high severity vulnerability that allows an unauthenticated attacker to gain access to critical data (CVE-2017-10267). Another high severity flaw, tracked as CVE-2017-10278, allows access to critical data as well, but it can also be exploited to modify data and cause a partial DoS condition in Tuxedo. On the other hand, the vendor said CVE-2017-10278 is difficult to exploit.

The last vulnerability, CVE-2017-10266, has been classified as medium severity as it only gives access to a subset of Tuxedo data.

“Oracle strongly recommends affected Oracle Customers apply this Security Alert as soon as possible,” said Eric Maurice, director of security assurance at Oracle.

This is the second round of security patches released by Oracle since the company’s October Critical Patch Update (CPU). In late October, the company informed customers of an out-of-band update that fixed a critical vulnerability in Identity Manager, which is also part of the Fusion Middleware offering.

Related: Researchers Remotely Hijack Oracle OAM 10g Sessions

Related: Oracle Announces New Cloud Security Services

Related: Oracle Releases Patches for Exploited Apache Struts Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.