Oracle Tuxedo is an application server for non-Java languages. It provides a bunch of facilities that help customers build and deploy enterprise applications written in C, C++, COBOL, and with the SALT add-on applications written in Python and Ruby. As an application server, it provides containers to host your business logic written in those languages.
Oracle Jolt is a Java-based client API that manages requests to Oracle Tuxedo services via a Jolt Service Listener (JSL) running on the Tuxedo server. The Jolt API is embedded within the WebLogic API, and is accessible from a servlet or any other Oracle WebLogic application.
Jolt server within Oracle Tuxedo suffers from multiple vulnerabilities. Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, these vulnerabilities also affect Oracle PeopleSoft.
Oracle Tuxedo versions 184.108.40.206.0 prior to Patch Level RP100
Oracle Tuxedo versions 220.127.116.11.0 prior to Patch Level RP089
Oracle Tuxedo versions 18.104.22.168.0 prior to Patch Level RP023
Oracle Tuxedo versions 22.214.171.124.0 prior to Patch Level RP179
Oracle Tuxedo versions 126.96.36.199.0 prior to Patch Level RP035
QID Detection Logic(Authenticated):
This QID looks for Jolt Server binary ‘JSL’ on the target and checks to see if the modification date is less than the patched binary.
An unauthenticated, remote attacker could exploit these vulnerabilities to retrieve logged in users credentials from the target server running Oracle Tuxedo.