Vulnerability Details CVE-2020-2555
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.93
EPSS Ranking 99.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
Proposed Action
Multiple Oracle products contain a remote code execution vulnerability that allows an unauthenticated attacker with network access via T3 or HTTP to takeover the affected system. Impacted Oracle products: Oracle Coherence in Fusion Middleware, Oracle Utilities Framework, Oracle Retail Assortment Planning, Oracle Commerce, Oracle Communications Diameter Signaling Router (DSR).
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/157054/Oracle-Coherence-Fusion-Middleware-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157207/Oracle-WebLogic-Server-12.2.1.4.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157795/WebLogic-Server-Deserialization-Remote-Code-Execution.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://packetstormsecurity.com/files/157054/Oracle-Coherence-Fusion-Middleware-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157207/Oracle-WebLogic-Server-12.2.1.4.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157795/WebLogic-Server-Deserialization-Remote-Code-Execution.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2555
Products affected by CVE-2020-2555
-
cpe:2.3:a:oracle:access_manager:11.1.2.3.0
-
cpe:2.3:a:oracle:coherence:12.1.3.0.0
-
cpe:2.3:a:oracle:coherence:12.2.1.3.0
-
cpe:2.3:a:oracle:coherence:12.2.1.4.0
-
cpe:2.3:a:oracle:coherence:3.7.1.0
-
cpe:2.3:a:oracle:commerce_platform:11.0.0
-
cpe:2.3:a:oracle:commerce_platform:11.1.0
-
cpe:2.3:a:oracle:commerce_platform:11.2.0
-
cpe:2.3:a:oracle:commerce_platform:11.3.0
-
cpe:2.3:a:oracle:commerce_platform:11.3.1
-
cpe:2.3:a:oracle:commerce_platform:11.3.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
-
cpe:2.3:a:oracle:healthcare_data_repository:7.0.1
-
cpe:2.3:a:oracle:rapid_planning:12.1
-
cpe:2.3:a:oracle:rapid_planning:12.2
-
cpe:2.3:a:oracle:retail_assortment_planning:15.0
-
cpe:2.3:a:oracle:retail_assortment_planning:16.0
-
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.3.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.4
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.4.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0
-
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
-
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0