Users warned of PeopleSoft vulnerability

By Patrick Gray

A serious vulnerability, which may allow attackers to obtain confidential information, has been found in PeopleSoft's Application Messaging Gateway servlet.

Internet Security Systems (ISS), a network security company based in theUS, discovered the security glitch, present in default installations, and released an advisory.

"The Application Messaging Gateway is configured to run by default on the PeopleSoft Web server," the advisory said.

The vulnerability effects all 8.1x versions of PeopleTools, with the exception of 8.19. 8.4x versions are not affected. PeopleSoft users can upgrade to version 8.19, but they might have to wait a while.

"PeopleSoft has addressed all of the issues described in this advisory in PeopleTools 8.19, available on PeopleSoft's Customer Connection site in early February," ISS said.

In the meantime, until the update becomes available, ISS have recommended a series of workarounds.

"ISS X-Force recommends that all PeopleSoft administrators block or restrict access to the servlets in question. X-Force also recommends that administrators take advantage of the security mechanisms that BEA WebLogic Servers provide," they said.

ISS has been subjected to criticism in the past for hastily disclosing security vulnerabilities to the security community without allowing vendors or software companies an adequate timeframe in which to engineer security fixes.

In June last year they issued a public advisory after discovering a critical security flaw in the Apache web server before notifying the Apache Software Foundation, the group responsible for maintaining the software. As a result it was some time before the appropriate security updates were made available.

Patrick Gray, ZDNet Australia writes for ZDNet Australia