CVE-2017-10266 Oracle Tuxedo and PeopleSoft Multiple Vulnerabilties




Oracle Tuxedo is an application server for non-Java languages. It provides a bunch of facilities that help customers build and deploy enterprise applications written in C, C++, COBOL, and with the SALT add-on applications written in Python and Ruby. As an application server, it provides containers to host your business logic written in those languages.

Oracle Jolt is a Java-based client API that manages requests to Oracle Tuxedo services via a Jolt Service Listener (JSL) running on the Tuxedo server. The Jolt API is embedded within the WebLogic API, and is accessible from a servlet or any other Oracle WebLogic application.

Jolt server within Oracle Tuxedo suffers from multiple vulnerabilities. Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, these vulnerabilities also affect Oracle PeopleSoft.

Affected Versions:
Oracle Tuxedo versions prior to Patch Level RP100
Oracle Tuxedo versions prior to Patch Level RP089
Oracle Tuxedo versions prior to Patch Level RP023
Oracle Tuxedo versions prior to Patch Level RP179
Oracle Tuxedo versions prior to Patch Level RP035

QID Detection Logic(Authenticated):
This QID looks for Jolt Server binary ‘JSL’ on the target and checks to see if the modification date is less than the patched binary.


An unauthenticated, remote attacker could exploit these vulnerabilities to retrieve logged in users credentials from the target server running Oracle Tuxedo.


Customers are advised to refer to Oracle Security Alert Advisory – CVE-2017-10269 for information pertaining to remediating this vulnerability.

Following are links for downloading patches to fix the vulnerabilities:

Oracle Security Alert Advisory-CVE-2017-10269

Leave a Reply