More than 1000 PeopleSoft applications are exposed to the Internet. What are the risks?
Oracle PeopleSoft is widely implemented in midsize companies and large enterprises (many from the Fortune 100) in various industries to manage resources. This software is also in use at Governmental and Higher education institutions.
PeopleSoft Suite includes Human Capital Management, Financial Management, Supplier Relationship Management, Supply Chain Management, and other applications. No need to say that these applications store and manage sensitive business-critical data.
A common misbelief is that enterprise software is not running on a public-facing network. Nonetheless, we conducted a scan that revealed there are more than 1000 unique PeopleSoft apps accessible via the Internet.
The first question that arises is why we should care about PeopleSoft security.
As you can see from the graph above, by now, Oracle has released 361 patches for PeopleSoft Suite in total (according to the vendor’s official advisories). To make matters worse, the major part of them can be exploited remotely without authentication. PeopleSoft consists of numerous subcomponents; if any of them lacks even a single patch, an attacker can exploit an issue, and the attack may end up with compromising the whole system.
The map below shows where the exposed PeopleSoft apps are located (please find an interactive version by the link).
The top countries by the number of Internet-accessible services are as follows:
What applications are installed
In some cases, our scanning method allowed us to identify what application is available online.
A quarter of the apps (namely, 253) belongs to a student system from the vendor, PeopleSoft Campus Solutions suite. It follows by Oracle’s PeopleSoft Human Capital Management, a product that provides human resources functionality, meaning that it stores key HR data.
It’s noteworthy that there are several PeopleSoft systems installed in government institutions. Of course, in comparison with other segments, the number may not look so impressive, but if even one of the exposed government’s system is vulnerable, the consequences of the cyberattack are limited only by hackers’ (be it cyberterrorists, state-sponsored attackers, or hacktivists) imagination.
As mentioned above, PeopleSoft patch management plays a vital role in protecting the applications. Nonetheless, it is not enough. Besides, PeopleSoft users should take numerous additional actions such as changing default PeopleSoft accounts or checking for unnecessary functionality.