Severity: Critical
CVSS Score: 10
The remote Oracle PeopleSoft PeopleTools server exposes both the Integration Broker gateway ('/PSIGW/HttpListeningConnector') and the Environment Management Hub ('/PSEMHUB/hub') on the same web tier. The Integration Broker fails to validate that XML documents submitted by unauthenticated clients do not reference internal or external network resources. An attacker posts a crafted XML envelope (DOCTYPE external-entity, EnvironmentManagement message, or IBRequest SOAP message) whose 'sourceURL', 'url', or 'HubURL' element points to an attacker-controlled URL. The Integration Broker acts as an unauthenticated SSRF proxy: - Outbound: the IB resolves and fetches attacker-controlled external URLs, leaking DNS queries and potentially cloud instance metadata. - Inbound loopback: when the SSRF target is http://127.0.0.1:<port>/ PSEMHUB/hub, the IB relays the request to the local Hub. The Hub accepts loopback connections without authentication. Published exploit chains pass a deserialized Java object in the 'OPERATION' POST parameter to invoke Hub operations (FILECHUNKING, REGISTER_WITHOUT_PEERNAME, HANDLE_MESSAGE) and achieve remote code execution as the PeopleSoft application server user. Nessus confirmed the SSRF non-destructively by: 1. Verifying /PSEMHUB/hub is present (not mitigated by context root removal). 2. Sending three XML payload shapes to /PSIGW/HttpListeningConnector with the SSRF target set to a per-scan DNS callback URL. 3. Detecting an outbound DNS resolution of the callback hostname, which proves the Integration Broker followed the attacker-supplied URL. A patched or mitigated system either returns HTTP 404 for /PSEMHUB/hub (context root removed) or rejects the XML before dereferencing the URL, and no DNS callback is observed.