Security alert raises disclosure questions

An alert by a security alert service about a PeopleSoft product vulnerability has raised issues over whether such services should let affected vendors have time to get a patch ready before alerts are issued.

A vulnerability has been discovered in an application messaging gateway that ships with PeopleTools, the toolset included in most PeopleSoft applications.

And the issuing of an alert about it by US-based Internet Security Systems has raised issues beyond what PeopleSoft users who utilise PeopleTools 8 should do, namely, should a security alert service should first allow a vendor in whose product it finds a flaw time to get a patch ready?

ISS has been accused in the past of flouting industry convention by publicising alerts without giving the vendor adequate notice. In June, it issued an alert on a flaw in Apache Webserver software which resulted in accusations of not informing Apache.

However, it may have been a case of confusion rather than direct disregard of convention. In the US, there is more than one official agency that accepts and distributes alerts and in the Apache case, ISS told the FBI's National Infrastructure Protection Centre while Apache told CERT.

ISS says it adheres to strict disclosure guidelines and spokesperson Player Pate says "the PeopleTools vulnerability was disclosed in compliance with our policy, as [alerts] always are."

The PeopleTools vulnerability could allow an attacker using XML data containing XXE (xml external entities) to extract confidential information and while PeopleSoft has issued a new version of PeopleTools, version 8.19, which is immune to the vulnerability, the version won't be available until early next month.

In the meantime, ISS has advised workarounds.

Transpower IT delivery manager Stephen Fox says the national grid owner, a user of PeopleSoft, hadn't heard of the vulnerability.

"But we have no external access to PeopleSoft; it's all on our own LAN."

The PeopleTools application messaging gateway is used to move data between different PeopleSoft installations.

A reply from PeopleSoft about the alert was not received by deadline.

Join the newsletter!

Error: Please check your email address.

Tags security

More about ApacheCERT AustraliaFBIInternet Security SystemsISS GroupLANPeopleSoftSecurity Systems

Show Comments
[]