ERP: Bulletproof No More

By Larry Barrett Print this article Print

A security flaw in a PeopleSoft application may presage more holes in enterprise resource planning software.

Chuck Moore is too busy ironing out the installation of an upgrade to his company's human resources software to worry about network security.

That's what makes the discovery of a security flaw in PeopleSoft software alarming. Moore is vice president of human resources information and administration at WellPoint Health Networks, which is in the process of putting in place PeopleSoft 8.3 for HR.

Internet Security Systems Inc., a software security and analysis firm based in Atlanta, reported a flaw in March on PeopleSoft's Web server that could be exploited by hackers looking to gain access to the databases of a company like WellPoint, one of the nation's largest health care networks.

The flaw was found in a feature that handled the transfer of PeopleSoft reports to and from a repository on a Web server. "We always are on the watch for issues surrounding documents on our Web server," says Moore. "In this case, this particular feature wasn't something we use so I just passed it on to my security team. But it was the first (problem) I'd ever seen regarding network security" and a piece of enterprise software.

Technology executives better get used to it. Although security flaws in desktop operating systems get a lot of attention, security experts predict holes in key corporate applications, such as enterprise resource planning software, will become increasingly exposed. The PeopleSoft discovery represents only the first widely reported example of vulnerabilities that reside within enterprise applications that store, transport and update critical data that is accessed in some fashion from the Internet, says Gartner Inc. analyst Chad Eschinger.

In the PeopleSoft incident, the security hole was found within the code used for a small program called "SchedulerTransfer" that resides on the PeopleSoft Web server. The small program, also called a servlet, is used to move reports back and forth from a report directory on the server. Since the servlet sits on a server, the server and its contents can be vulnerable to access through the hole.

The hole wouldn't have been such a security issue had the program not been configured to run by default. That means the flawed servlet is up and running, unless a system administrator specifically turns it off.

Worse, the servlet did not require any user authentication to access or upload report files, according to ISS. PeopleSoft officials say no customer files were compromised, but ISS engineers asserted that hackers could have easily gained access. From there, the intruder could:

  • Order other applications or "executables" be transferred from the company's server, download them and then put them to use
  • Create and overwrite files elsewhere on the server.
  • Replace legitimate servlets with illegitimate versions
  • Add other programs that would allow them to execute commands and controls remotely

Bottom line: The most sensitive data in a company's enterprise servers could be available to anyone with a keyboard, a browser and a Web connection.

"We were notified by PeopleSoft about this problem and we were very concerned," says one information systems manager at a PeopleSoft account who spoke on the condition of anonymity. "It's disturbing to know this vulnerability existed, but it's not terribly surprising."

The vulnerability was found in several iterations of PeopleTools, including versions 8.1 to 8.18, version 8.40 and version 8.41. PeopleTools are used to develop, enhance and compliment applications.

Within a month of finding this particular flaw, PeopleSoft developed a patch customers could download from their Customer Connection Web site. PeopleSoft officials said none of the customers who were vulnerable to the attack reported any intruders to their files or servers.

This article was originally published on 2003-04-07
Senior Writer
Larry, of San Carlos, Calif., was a senior writer and editor at CNet, writing analysis, breaking news and opinion stories. He was technology reporter at the San Jose Business Journal from 1996-1997. He graduated with a B.A. from San Jose State University where he was also executive editor of the daily student newspaper.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.