Organizations using Oracle PeopleSoft have been warned of a number of alleged vulnerabilities in the enterprise resource planning suite that could put business data at risk.
They were revealed last week at the Hack in the Box conference in Amsterdam by a researcher from ERPScan, a California company that specializes in security solutions for SAP applications, thought it also find vulnerabilities in ERP suites from other vendors.
In this case, according to a news report, the researcher said three architectural and configuration bugs could lead to big trouble if not patched. The most critical weakness was found in the token generation process for single sign-on, the researcher said, which is hashed using the aging SHA-1 algorithm that can be broken using a $500 GPU card capable of cracking an eight-character alphanumeric password within a day. This issue has reportedly not been patched yet.
Another problem involves a weak authentication protocol that can allow a local user to escalate privileges and gain full access to the PeopleSoft application and database. This issue has been patched.
The third has to do with default credentials in PeopleSoft and its Weblogic application server. ERPScan has been told by Oracle that default passwords have been removed in new versions of the software.
The researcher says Oracle [Nasdaq: ORCL] told him the problems are only seen in demo software, but he disagrees. Not every implementation is vulnerable, he admits, but some in production are.
Read the full news report here and see what you think.