Security alert posted for PeopleSoft
A serious security flaw in business management software from PeopleSoft leaves sensitive corporate data vulnerable to hackers, a computer security firm warns.
The flaw, known as a remote command execution vulnerability, gives outsiders the ability to install malicious computer code on PeopleSoft customers' Web servers, potentially leading to a "complete compromise" of their PeopleSoft business systems, according to Internet Security Systems (ISS), the Atlanta-based computer security company that issued the warning.
"Compromise of PeopleSoft Web server installations may disclose critical confidential information and facilitate the compromise of PeopleSoft application and database back-end servers," stated the ISS advisory.
Pleasanton, Calif.-based PeopleSoft supplies software designed to streamline accounting, human resources, sales and manufacturing activities to more than 5,000 companies around the world. The flaw affects only certain releases of PeopleSoft version 8, which the company began shipping in 2000. Nearly 2,000 companies have installed version 8, according to PeopleSoft spokesman Steve Swasey. He declined, however, to comment on how many of those customers could be affected by the vulnerability.
The flawed software, which is configured to run by default, affects numerous versions of a core component of its applications called PeopleSoft Tools, including versions 8.4, 8.41 and 8.10 through 8.18. Specifically, the problem pertains to a small Java program, known as a "servlet," that resides on PeopleSoft Web servers and can be used to upload files without any authentication. The purpose of the servlet, according to PeopleSoft, is to transfer business reports between servers using Internet protocols such as HTTP (hypertext transfer protocol).
PeopleSoft released patches to correct the problem several weeks ago, Swasey said. The patches and details about the vulnerability are available on the company's private Web site for PeopleSoft customers as well as through ISS. PeopleSoft has yet to hear of any problems related to the security flaw, Swasey added. An ISS spokesman also said the flaw had not yet been exploited, as far as he knew.
PeopleSoft touts version 8 of its applications as a major advancement of its technology because of its use of Internet protocols. PeopleSoft competitors SAP, Siebel Systems and Oracle have also released software designed to run over the Web.