⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-2555 — Deserialization of Untrusted Data in Oracle Commerce Platform

CWE-502 — Deserialization of Untrusted Data16 documents9 sources

Severity

9.8CRITICALNVD

EPSS

92.7%

top 0.25%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Oracle Commerce Platform Oracle Communications Diameter Signaling Router Oracle Utilities Framework +8 more

Timeline

PublishedJan 15

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages11 packages

▶NVDoracle/coherence4 versions+3

▶NVDoracle/access_manager11.1.2.3.0

▶NVDoracle/commerce_platform11.3.0 — 11.3.2+3

▶NVDoracle/utilities_framework4.3.0.1.0 — 4.3.0.6.0+4

▶NVDoracle/communications_diameter_signaling_router8.0.0 — 8.2.2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-gm93-pfh3-mrf3: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation)↗2022-05-24

▶

CVEList

CVE-2020-2555: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation)↗2020-01-15

▶

VulnCheck

Oracle Multiple Products Remote Code Execution Vulnerability↗2020

▶

💥Exploits & PoCs

Exploit-DB

WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)↗2020-05-22

▶

Exploit-DB

Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution↗2020-04-14

▶

🔍Detection Rules

Suricata

ET EXPLOIT Oracle Coherence Deserialization RCE (CVE-2020-2555)↗2021-12-20

▶

📋Vendor Advisories

CISA

Oracle Multiple Products Remote Code Execution Vulnerability↗2021-11-03

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework (Coherence) — CVE-2020-2555↗2021-07-15

▶

Oracle

Oracle Oracle Utilities Applications Risk Matrix: General (Oracle Coherence) — CVE-2020-2555↗2021-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: IDIH (Oracle Coherence) — CVE-2020-2555↗2020-10-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Application Core (Coherence) — CVE-2020-2555↗2020-07-15

▶

🕵️Threat Intelligence

Trendmicro

Oracle WebLogic Vulnerability↗2020-05-11

▶

Trendmicro

Oracle WebLogic Vulnerability↗2020-05-11

▶

Trendmicro

Oracle WebLogic Vulnerability↗2020-05-11

▶