Oracle PeopleSoft

The line of Oracle applications of PeopleSoft includes solutions for human capital management (Oracle PeopleSoft Human Capital Management), for management of finance (Oracle PeopleSoft Financial Management), vendor interaction (Oracle PeopleSoft Supplier Relationship Management), managements of operational processes (Oracle PeopleSoft Enterprise Services Automation), supply chains (Oracle PeopleSoft Supply Chain Management) and also means for developers.

History

2019: Correction of 13 vulnerabilities

On October 17, 2019 it became known that the Oracle company corrected 219 dangerous vulnerabilities in different product lines. The PeopleSoft application received 13 corrections. Read more here.

2015: Attacks on PeopleSoft Oracle applications continue

On May 3, 2015 the Digital Security company provided results of a research of security of Oracle applications PeopleSoft conducted by Alexey Tyurin, the head of the auditing department of cybersecurity.

According to the expert's outputs, for June 3, 2015 the developer does not pay sufficient attention to security of applications. The research reveals a number of vulnerabilities in PeopleSoft, the most dangerous of which allows the attack of the class "increase in privileges".

The PeopleSoft systems are often available from the Internet and to some components access without registration is necessary: for example, to the page of recovery of the password or to a form of submission of the résumé for a vacancy. For this purpose in Oracle PeopleSoft there is a special user with the minimum rights. At an input a system automatically authenticates you under this account. It allows to perform the attack of the class "increase in privileges", having picked up authentication cookie – TokenID. TokenID is generated on the basis of hashing algorithm SHA1, at the same time, according to again data retrieveds, the alphanumeric password from 8 signs is decrypted in one day on the modern video card which will cost the malefactor approximately $500.

In a research it is noted - installation of Oracle PeopleSoft usually represents a difficult procedure when many applications are established, and costs access to the weakest component attacking to get as further it can get with ease into other components.

The choice of an attack vector depends on the malefactor's purposes. Five effects of the attacks on Oracle PeopleSoft (among a set):

• Theft of SSN, it is identity fraud. Social security numbers of employees are stored in the HRM systems (human resources management). The malefactor can use SSN of the victim to obtain other personal data or to take the credit from her name. Register new number instead of compromised not easy: it is unknown whether the solution for benefit of the victim will take Charge of social security. All companies using PeopleSoft HRMS, especially public sector are subject to risk.

• Data of payment cards of employees and clients (name of the holder, the card number, purge date, the CVV code) are stored in many Oracle applications of PeopleSoft. At date leak this information can be stolen. Any enterprise, but first of all – the sphere of retail can fall a victim of the attack.

• With access to PeopleSoft Enterprise Service Automation (automation of services of the enterprise) attacking can forge information, critical for business, on project implementation phase and by that to push the management to adoption of incorrect solutions that will lead to waste of resources, failure to follow contractual obligations and reputation losses. It is the scenario of sabotage, it is most relevant for the production area.

• Current assets of the organization, from premises and the equipment to the rolling stock and production machines, – the main means of achievement of goals of the enterprise. PeopleSoft Asset Lifecycle Management (management of lifecycle of assets) allows to control these resources and to plan their maintenance. The Asset Lifecycle Management system is usually connected to production workshop. Access to this application means an opportunity to forge equipment state-of-health data. Further there are two scenarios of succession of events:
• attacking can fabricate the message that the new part will fail soon, and the company will spend spare cash
• it is real to implement in a system false data that the worn-out part actually new, and it threatens with production accident. Such scenario of the class "sabotage" threatens producer companies.

• The PeopleSoft Supplier Relationship Management application (vendor relationship management) stores information on tenders and agreements. If attacking gets access to commercial offers, he can announce more beneficial price and win the tender fraudulently. It is fraught with reputation and financial losses for the company holding the tender.

The researcher of Digital Security detected a set of threats in PeopleSoft Oracle applications from all types of malefactors: insiders, developers and even hackers from the Internet. By quantity and danger of vulnerabilities the problem is comparable to cumulative effects of three most critical gaps in security detected in SAP applications for the last five years, at the same time the majority of vulnerabilities for years do not improve.

Alexey Tyurin considers that the provision Oracle PeopleSoft is worse, than was at SAP five years ago. In the market of security of SAP the awareness increased now (more than one hundred presentations at conferences on cybersecurity in five years), there were specialists, products and real examples of the attacks, including recent cracking of the American state company USIS. In terms of the possible attacks the situation with security of Oracle PeopleSoft is five times worse, judging only by the number of publicly confirmed incidents.

"Nevertheless, there are practically no published researches of security of applications PeopleSoft. While malefactors actively operate the available vulnerabilities, the companies do not own methodology of testing of PeopleSoft Oracle applications installed at them for existence of vulnerabilities, especially architectural. Oracle regularly publishes summary of security concerns in its supplements. For malefactors of these data it can appear enough, as is confirmed by, at least, five known facts about leaks which became known. Unfortunately, the community of specialists in cybersecurity knows about the analysis of these systems little. So, our mission – to help clients and it is correct to companies consultants to estimate and protect systems, critical for business", - Alexey Tyurin noted, acting on Hack In The Box (HITB) in Amsterdam, at the end of May, 2015.

2013: Russians detected dangerous vulnerabilities in PeopleSoft Oracle applications

At the end of July, 2013 during the conference on BlackHat cybersecurity in the USA the Russian company Digital Security submitted the report on the vulnerabilities in PeopleSoft Oracle applications detected by it. According to representatives of the company, the found vulnerabilities allow the third parties to get access to a system and to take control of the critical data on personnel or suppliers which are used in applications, up to social security numbers and, perhaps, even the cards given about holders.

At the same time not only theft of data, but also a failure call in service of a corporate system or substitution of critical data, including information on bank accounts is possible, add to Digital Security.

"The combination of vulnerabilities of XML, architectural problems and such features of a configuration as storage of passwords in open form, allowed to get full access to a system", - representatives of the company note.

Digital Security transferred information on the detected vulnerabilities to Oracle then the last quickly released the patch fixing these security concerns.

Earlier Digital Security also detected the vulnerability allowing to perform failure in service using one HTTP request on the page of an input in PeopleSoft Oracle applications, tell in the company. It was eliminated in January, 2011.

The technical director of Digital Security Alexander Polyakov told TAdviser that five years ago the company very actively looked for looked for vulnerabilities in Oracle DBMS. Then he wrote the book "Security of Oracle the auditor's eyes: attack and protection" (2009) also held a set of the presentations.

"Now the product PeopleSoft was selected because it develops actively and used worldwide, the producer does on it big rates even in the presence of Fusion, - he says. - Besides, last year on BlackHat we were asked about this product, we also decided to be engaged in it. In the USA at this product large market".

Digital Security also notes that the research Oracle PeopleSoft during which vulnerabilities were detected did not put a task to find all existing problems. The overview of security of this software in general with indication of its main shortcomings was its purpose.

2011

The Oracle corporation released a service pack of the software PeopleSoft in April, 2011 to overcome a rupture of functionality of different ERP solutions of Oracle. A packet management of finance and supply chains (Financials and Supply Chain Management - FSCM) adds new functionality of SCM for users of PeopleSoft 9.1. According to Oracle, about 1200 clients already upgraded to the new 9.1 version. In addition to the updated functionality of automation of financial transactions, clients will have access to new features of supply chain management with a possibility of targeting, management of inventory and search.

Feature of new functionality of FSCM also is the new People Soft Mobile Inventory Management application (Mobile inventory management). Through this new application to personnel, using Windows on the mobile devices and portable computers, it is possible to automate different transactions of inventory. It will improve the accuracy and efficiency of inventory that finally will increase labor productivity. New opportunities will also help workers to manage accompanying documents, quotations and to own information necessary for this purpose. The service pack gives to users more control and security.