Oracle Tuxedo "JOLTandBLEED" vulnerability (CVE-2017-10269)

In November 2017 Oracle published a vulnerability in the Jolt Server which is a component of Oracle Tuxedo. Just recently, a PoC exploit for this vulnerability has been published.

Using the JOLT protocol, attackers could send specially crafted packets to obtain chunks of the server’s memory. The dumped memory chunks may contain sensitive information such as clear text credentials for the PeopleSoft web interface. This is also how the vulnerability got its name - because of the similarity to the Heartbleed vulnerability.

Following is an iRule which detects and blocks “JOLTandBLEED”. Note, the JOLT protocol is not based on HTTP.

when CLIENT_ACCEPTED {
  TCP::collect 24
}
when CLIENT_DATA {
  if { [TCP::payload] starts_with "JOLT\x00\x00\x00\x0f\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x002\x00\x00\x00\x00" } {
    log local0. "Detected JoltandBleed vulnerability exploitation attempt, rejecting."
    reject
  }
 TCP::release
}
Published Feb 19, 2018
Version 1.0
application delivery
BIG-IP
cve-2017-10269
iRules
joltandbleed
security

Was this article helpful?

No CommentsBe the first to comment