Internet Security Systems (ISS), a network security company based in Atlanta, USA, discovered the security glitch, present in default installations, and released an advisory.
"The Application Messaging Gateway is configured to run by default on the PeopleSoft Web server," the advisory said.
The vulnerability effects all 8.1x versions of PeopleTools, with the exception of 8.19. 8.4x versions are not effected. PeopleSoft users can upgrade to version 8.19, but they might have to wait a while.
"PeopleSoft has addressed all of the issues described in this advisory in PeopleTools 8.19, available on PeopleSoft's Customer Connection site in early February," ISS said.
In the mean time, until the update becomes available, ISS have recommended a series of workarounds.
"ISS X-Force recommends that all PeopleSoft administrators block or restrict access to the servlets in question. X-Force also recommends that administrators take advantage of the security mechanisms that BEA WebLogic Servers provide," they said.
ISS has been subjected to criticism in the past for hastily disclosing security vulnerabilities to the security community without allowing vendors or software companies an adequate timeframe in which to engineer security fixes.
In June last year they issued a public advisory after discovering a critical security flaw in the Apache web server before notifying the Apache Software Foundation, the group responsible for maintaining the software. As a result it was some time before the appropriate security updates were made available.
"PeopleSoft users can upgrade to version 8.19, but they might have to wait a while."
cause we havn't released it yet, sounds more like they will have to wait till next month