Unauthenticated Network Vulnerability in Oracle Coherence by Oracle
CVE-2020-14756

9.8CRITICAL

Key Information:

Vendor: Oracle
Status: Utilities Framework
Vendor: CVE Published:; 20 January 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An unauthenticated network vulnerability has been identified in Oracle Coherence within the Oracle Fusion Middleware suite. This vulnerability enables remote attackers to exploit the system via IIOP and T3 protocols, potentially resulting in the complete takeover of Oracle Coherence. Affected versions include 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, highlighting the need for immediate security measures to protect sensitive information.

Affected Version(s)

Utilities Framework 4.2.0.2.0

Utilities Framework 4.2.0.3.0

Utilities Framework 4.3.0.1.0-4.3.0.6.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-14756
Created by Y4er

References

https://www.oracle.com/security-alerts/cpujan2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujan2022.html

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Feb 4, 2021
👾
Exploit known to exist
Feb 4, 2021
Vulnerability published
Jan 20, 2021
Vulnerability Reserved
Jun 19, 2020