ID

VAR-202001-1034


CVE

CVE-2020-2555


TITLE

Oracle Fusion Middleware of Oracle Coherence In Caching,CacheStore,Invocation Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-001293

DESCRIPTION

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Oracle Fusion Middleware of Oracle Coherence In Caching,CacheStore,Invocation There are vulnerabilities that affect confidentiality, integrity, and availability due to a flaw in processing.Information gained, falsified, and denial of service by remote attackers (DoS) An attack could be made. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the T3 protocol on TCP port 7001. When deserializing objects embedded with T3 protocol messages, the server allows deserialization of classes that may lead to arbitrary code execution. An attacker can leverage this vulnerability to execute code in the context of the current process. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. The platform provides functions such as middleware and software collection

Trust: 2.97

sources: NVD: CVE-2020-2555 // JVNDB: JVNDB-2020-001293 // ZDI: ZDI-20-128 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-179539 // VULMON: CVE-2020-2555

AFFECTED PRODUCTS

vendor:oraclemodel:coherencescope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:coherencescope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:eqversion:4.2.0.3.0

Trust: 1.0

vendor:oraclemodel:coherencescope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:retail assortment planningscope:eqversion:15.0

Trust: 1.0

vendor:oraclemodel:access managerscope:eqversion:11.1.2.3.0

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:eqversion:4.4.0.2.0

Trust: 1.0

vendor:oraclemodel:commerce platformscope:eqversion:11.2.0

Trust: 1.0

vendor:oraclemodel:webcenter portalscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:webcenter portalscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:oraclemodel:commerce platformscope:lteversion:11.3.2

Trust: 1.0

vendor:oraclemodel:commerce platformscope:eqversion:11.0.0

Trust: 1.0

vendor:oraclemodel:rapid planningscope:eqversion:12.2

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:gteversion:4.3.0.1.0

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:lteversion:4.3.0.6.0

Trust: 1.0

vendor:oraclemodel:rapid planningscope:eqversion:12.1

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:eqversion:4.2.0.2.0

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:lteversion:8.2.2

Trust: 1.0

vendor:oraclemodel:coherencescope:eqversion:3.7.1.0

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:eqversion:4.4.0.0.0

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:healthcare data repositoryscope:eqversion:7.0.1

Trust: 1.0

vendor:oraclemodel:commerce platformscope:eqversion:11.1.0

Trust: 1.0

vendor:oraclemodel:retail assortment planningscope:eqversion:16.0

Trust: 1.0

vendor:oraclemodel:commerce platformscope:gteversion:11.3.0

Trust: 1.0

vendor:oraclemodel:fusion middlewarescope:eqversion:of oracle coherence 12.1.3.0.0

Trust: 0.8

vendor:oraclemodel:fusion middlewarescope:eqversion:of oracle coherence 12.2.1.3.0

Trust: 0.8

vendor:oraclemodel:fusion middlewarescope:eqversion:of oracle coherence 12.2.1.4.0

Trust: 0.8

vendor:oraclemodel:fusion middlewarescope:eqversion:of oracle coherence 3.7.1.17

Trust: 0.8

vendor:oraclemodel:weblogicscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-20-128 // JVNDB: JVNDB-2020-001293 // NVD: CVE-2020-2555

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-2555
value: CRITICAL

Trust: 1.0

secalert_us@oracle.com: CVE-2020-2555
value: CRITICAL

Trust: 1.0

NVD: CVE-2020-2555
value: CRITICAL

Trust: 0.8

ZDI: CVE-2020-2555
value: CRITICAL

Trust: 0.7

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202001-679
value: CRITICAL

Trust: 0.6

VULHUB: VHN-179539
value: HIGH

Trust: 0.1

VULMON: CVE-2020-2555
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-2555
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-179539
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

secalert_us@oracle.com: CVE-2020-2555
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2020-2555
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ZDI: CVE-2020-2555
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-128 // VULHUB: VHN-179539 // VULMON: CVE-2020-2555 // JVNDB: JVNDB-2020-001293 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202001-679 // NVD: CVE-2020-2555 // NVD: CVE-2020-2555

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.1

sources: VULHUB: VHN-179539 // NVD: CVE-2020-2555

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-679

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-001293

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-179539

PATCH

title:Oracle Critical Patch Update Advisory - January 2020url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 1.5

title:Text Form of Oracle Critical Patch Update - January 2020 Risk Matricesurl:https://www.oracle.com/security-alerts/cpujan2020verbose.html

Trust: 0.8

title:Oracle Fusion Middleware Coherence Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108607

Trust: 0.6

title:CVE-2020-2555 Require Referenceurl:https://github.com/Uvemode/CVE-2020-2555

Trust: 0.1

title:CVE-2020-2555 Require Referenceurl:https://github.com/Y4er/CVE-2020-2555

Trust: 0.1

title:POC_CVE-2020-2555url:https://github.com/Qynklee/POC_CVE-2020-2555

Trust: 0.1

title:CVE-2020-2555url:https://github.com/wsfengfan/CVE-2020-2555

Trust: 0.1

title:Attacking_Shiro_with_CVE_2020_2555url:https://github.com/feihong-cs/Attacking_Shiro_with_CVE_2020_2555

Trust: 0.1

sources: ZDI: ZDI-20-128 // VULMON: CVE-2020-2555 // JVNDB: JVNDB-2020-001293 // CNNVD: CNNVD-202001-679

EXTERNAL IDS

db:NVDid:CVE-2020-2555

Trust: 3.3

db:PACKETSTORMid:157207

Trust: 1.7

db:PACKETSTORMid:157795

Trust: 1.7

db:PACKETSTORMid:157054

Trust: 1.7

db:ZDIid:ZDI-20-128

Trust: 1.3

db:JVNDBid:JVNDB-2020-001293

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-9020

Trust: 0.7

db:EXPLOIT-DBid:48508

Trust: 0.7

db:CNNVDid:CNNVD-202001-679

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:EXPLOIT-DBid:48320

Trust: 0.6

db:CS-HELPid:SB2021072118

Trust: 0.6

db:CS-HELPid:SB2021072735

Trust: 0.6

db:NSFOCUSid:45703

Trust: 0.6

db:CXSECURITYid:WLB-2020050174

Trust: 0.6

db:CXSECURITYid:WLB-2020040075

Trust: 0.6

db:SEEBUGid:SSVID-98140

Trust: 0.1

db:VULHUBid:VHN-179539

Trust: 0.1

db:VULMONid:CVE-2020-2555

Trust: 0.1

sources: ZDI: ZDI-20-128 // VULHUB: VHN-179539 // VULMON: CVE-2020-2555 // JVNDB: JVNDB-2020-001293 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202001-679 // NVD: CVE-2020-2555

REFERENCES

url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 2.4

url:http://packetstormsecurity.com/files/157054/oracle-coherence-fusion-middleware-remote-code-execution.html

Trust: 2.3

url:http://packetstormsecurity.com/files/157207/oracle-weblogic-server-12.2.1.4.0-remote-code-execution.html

Trust: 2.3

url:http://packetstormsecurity.com/files/157795/weblogic-server-deserialization-remote-code-execution.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpujan2021.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpuoct2020.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpujul2021.html

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-2555

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-2555

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2020040075

Trust: 0.6

url:https://www.exploit-db.com/exploits/48508

Trust: 0.6

url:http://www.nsfocus.net/vulndb/45703

Trust: 0.6

url:https://www.oracle.com/security-alerts/cpujan2020verbose.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/oracle-fusion-middleware-vulnerabilities-of-january-2020-31329

Trust: 0.6

url:https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-026.pdf

Trust: 0.6

url:https://www.zerodayinitiative.com/advisories/zdi-20-128/

Trust: 0.6

url:https://www.exploit-db.com/exploits/48320

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2020050174

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072118

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072735

Trust: 0.6

sources: ZDI: ZDI-20-128 // VULHUB: VHN-179539 // JVNDB: JVNDB-2020-001293 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202001-679 // NVD: CVE-2020-2555

CREDITS

Jang from VNPT ISC

Trust: 0.7

sources: ZDI: ZDI-20-128

SOURCES

db:ZDIid:ZDI-20-128
db:VULHUBid:VHN-179539
db:VULMONid:CVE-2020-2555
db:JVNDBid:JVNDB-2020-001293
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202001-679
db:NVDid:CVE-2020-2555

LAST UPDATE DATE

2024-11-23T20:20:38.672000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-20-128date:2020-01-15T00:00:00
db:VULHUBid:VHN-179539date:2022-10-25T00:00:00
db:VULMONid:CVE-2020-2555date:2022-10-25T00:00:00
db:JVNDBid:JVNDB-2020-001293date:2020-01-30T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202001-679date:2022-07-14T00:00:00
db:NVDid:CVE-2020-2555date:2024-11-21T05:25:31.510

SOURCES RELEASE DATE

db:ZDIid:ZDI-20-128date:2020-01-15T00:00:00
db:VULHUBid:VHN-179539date:2020-01-15T00:00:00
db:VULMONid:CVE-2020-2555date:2020-01-15T00:00:00
db:JVNDBid:JVNDB-2020-001293date:2020-01-30T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202001-679date:2020-01-15T00:00:00
db:NVDid:CVE-2020-2555date:2020-01-15T17:15:17.347