As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk for PeopleSoft applications. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.
For this quarter, there are 15 security vulnerabilities patches in PeopleSoft applications and PeopleTools --
10 - PeopleTools
2 - PeopleSoft Financials
2 - PeopleSoft HCM
1 - PeopleSoft Campus Solutions
11 of the 15 security vulnerabilities are remotely exploitable without authentication, therefore, an attacker can exploit the PeopleSoft without any credentials. For this quarter, there are 7 cross-site scripting vulnerabilities, 3 vulnerabilities in third-party libraries used in PeopleSoft, and 5 other types of vulnerabilities.
10 cross-site scripting (XSS) vulnerabilities and 4 other types of vulnerabilities fixed. Most important is that 13 of the 14 vulnerabilities are remotely exploitable without authentication.
For PeopleTools, only 8.55 and 8.56 are supported. Previous versions of PeopleTools must be upgraded in order to apply the security patches.
Another vulnerability for Tuxedo JOLT (CVE-2018-3007) is fixed in this CPU, therefore, Tuxedo must also be patched. Configuration changes must be made to the Tuxedo server in order to limit connections to both JSH and WSH in order to reduce the risk of security vulnerabilities.
A number of vulnerabilities in WebLogic are fixed in this CPU including a vulnerability accessible via the T3 protocol. In addition to applying the appropriate WebLogic security patch, the WebLogic should be configured to only allow access to the HTTPS protocol.
For the July 2018 CPU, only 126.96.36.199 and 188.8.131.52 are supported for security patches. For the database, there is a OJVM security patch, so either the combo patch must be applied or a separate OJVM patch must be applied to correct the vulnerability in the Java Virtual Machine (JVM) in the database which is used by PeopleSoft.
July 2018 Recommendations
As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk. Corrective action should be taken immediately for all PeopleSoft environments. The most at risk implementations are Internet facing environments and Integrigy rates this CPU as high risk due to the large number of cross-site scripting (XSS) vulnerabilities that can be remotely exploited without authentication. These implementations should apply the CPU as soon as possible or use a virtual patching solution such as AppDefend.
Most PeopleSoft environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrigy's AppDefend, an application firewall for the Oracle PeopleSoft. AppDefend provides virtual patching and can effectively replace patching of PeopleSoft web security vulnerabilities.
CVEs referenced: CVE-2017-5645, CVE-2018-1275, CVE-2018-2990, CVE-2018-2977, CVE-2018-0739, CVE-2018-2951, CVE-2018-3068, CVE-2018-2929, CVE-2018-2919, CVE-2018-2985, CVE-2018-2986, CVE-2018-3016, CVE-2018-3072, CVE-2018-2970, CVE-2018-3076