CVE-2020-2555
Published: 15 January 2020
Summary
CVE-2020-2555 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Utilities Framework. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-2555 is a deserialization vulnerability (CWE-502) in the Caching, CacheStore, and Invocation components of Oracle Coherence within Oracle Fusion Middleware. It affects supported versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The flaw is remotely exploitable without authentication and carries a CVSS 3.1 base score of 9.8, reflecting full impacts to confidentiality, integrity, and availability.
An unauthenticated attacker with network access via the T3 protocol can exploit the issue to compromise and fully take over an Oracle Coherence instance. Public exploit code demonstrating remote code execution against the affected product has been published on PacketStorm.
Oracle addressed the vulnerability in its January 2020 Critical Patch Update, with additional details referenced in the January 2021 advisory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-22348
Vulnerability details
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks…
more
of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including serialized objects received over T3) to block malicious deserialization payloads before they are processed.
Enforces approved authorizations for access to Oracle Coherence, eliminating the unauthenticated network path that the CVE exploits.
Requires timely application of vendor patches that remediate the specific deserialization flaw in the Caching/Invocation components.