Oracle PeopleSoft SSO weak secret key
Description
Oracle PeopleSoft implements Single Sign-On (SSO) authentication using the PS_TOKEN cookie, which is cryptographically signed with a node password to prevent tampering. This vulnerability occurs when the PeopleSoft application is configured with a weak, default, or publicly known node password. The scanner successfully identified and guessed the node password being used to sign authentication tokens, indicating the secret key can be easily compromised by attackers.
Remediation
Immediately change the PeopleSoft node password to a strong, randomly generated value:<br/><br/>1. Log in to PeopleSoft Application Designer as an administrator<br/>2. Navigate to PeopleTools > Security > Security Objects > Signon PeopleCode<br/>3. Access the node password configuration (typically found in Configuration Manager or through the PSADMIN utility)<br/>4. Generate a new node password that is at least 32 characters long, containing a mix of uppercase letters, lowercase letters, numbers, and special characters<br/>5. Update the node password across all application servers and web servers in your PeopleSoft environment<br/>6. Restart all PeopleSoft application and web server domains to apply the changes<br/>7. Verify that existing user sessions are invalidated and users must re-authenticate<br/><br/>Consider implementing additional security controls such as token expiration policies, IP-based access restrictions, and monitoring for suspicious authentication patterns.