The latest security glitch in the popular enterprise resource planning (ERP) solution is the second identified by ISS in as many months, however this latest flaw is much more serious than the last; a fact that is highlighted in the advisory.
"This attack can result in complete compromise of PeopleSoft Web Server installations," it said.
PeopleSoft is commonly used to handle human resources, customer relations, supply chain and finance applications. A java servlet shipped with the PeopleTools application is the vulnerable component.
The previous vulnerability was first disclosed to the public in early January, which is about the time that ISS found the most recent flaw, says Neel Mehta, the ISS Research Engineer who found the bug.
"It was the same block of research," he said.
ISS spent considerable time working with PeopleSoft to produce a fix and work-arounds.
"We've been working with PeopleSoft for a couple of months now on this," he said.
Due to the sensitive, business critical nature of information handled by ERP solutions, the vulnerability is sure to generate more than a little concern. Most versions of PeopleTools are affected, and unlike other vulnerabilities, this latest bug effects default installations of the software.
"It is a default servlet... [and] there isn't any authentication required to exploit this. This vulnerability is slightly more serious than the last one we discovered," Mehta said.
"Anything that allows attackers to run code remotely is pretty serious," he added.
Concerned administrators can apply a vendor fix, disable the vulnerable servlet or restrict access to it by adding authentication measures.
The full advisory can be found here: http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21999.
