Resolve concerns regarding PeopleSoft PS_TOKEN cracking

(Doc ID 2017521.1)

Last updated on OCTOBER 17, 2016

Applies to:

PeopleSoft Enterprise PT PeopleTools - Version 8.51 to 8.54 [Release 8.4]
Information in this document applies to any platform.

Goal

In May 2015, a security researcher claimed that brute force attacks could be used against PeopleSoft cookie-token, allegedly resulting in potentially providing the malicious attacker with the ability to escalate his/her privileges.

The purpose of this note is to discuss these public assertions as they relate to the weakness of the SHA-1 algorithm against brute force attacks and the implication of such attacks in PeopleSoft Enterprise environments.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms