CVE-2020-2555
Summary
| CVE | CVE-2020-2555 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-15 17:15:00 UTC |
| Updated | 2022-10-25 17:58:00 UTC |
| Description | Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). |
Risk And Classification
EPSS: 0.931410000 probability, percentile 0.997950000 (date 2026-04-01)
CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Unknown
Problem Types: CWE-502
CISA Known Exploited Vulnerability
| Vendor | Oracle |
|---|---|
| Product | Multiple Products |
| Name | Oracle Multiple Products Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2020-2555 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Oracle | Coherence | 12.1.3.0.0 | All | All | All |
| Application | Oracle | Coherence | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Coherence | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Coherence | 3.7.1.0 | All | All | All |
| Application | Oracle | Coherence | 12.1.3.0.0 | All | All | All |
| Application | Oracle | Coherence | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Coherence | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Coherence | 3.7.1.0 | All | All | All |
| Application | Oracle | Commerce Platform | 11.0.0 | All | All | All |
| Application | Oracle | Commerce Platform | 11.1.0 | All | All | All |
| Application | Oracle | Commerce Platform | 11.2.0 | All | All | All |
| Application | Oracle | Commerce Platform | All | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | All | All | All | All |
| Application | Oracle | Healthcare Data Repository | 7.0.1 | All | All | All |
| Application | Oracle | Healthcare Data Repository | 7.0.1 | All | All | All |
| Application | Oracle | Rapid Planning | 12.1 | All | All | All |
| Application | Oracle | Rapid Planning | 12.2 | All | All | All |
| Application | Oracle | Rapid Planning | 12.1 | All | All | All |
| Application | Oracle | Rapid Planning | 12.2 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 15.0 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 16.0 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 15.0 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 16.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | All | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Oracle Critical Patch Update Advisory - July 2021 | MISC | www.oracle.com | |
| Oracle Coherence Fusion Middleware Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | Vendor Advisory |
| WebLogic Server Deserialization Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| Oracle WebLogic Server 12.2.1.4.0 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | Vendor Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | N/A | www.oracle.com | Vendor Advisory |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.