Login Sign Up

CVE-2020-14658

9.1 CRITICAL

📋 TL;DR

This is an unauthenticated remote code execution vulnerability in Oracle Marketing component of Oracle E-Business Suite. Attackers can access, modify, or delete critical marketing data without authentication. Affected versions include 12.1.1-12.1.3 and 12.2.3-12.2.9.

💻 Affected Systems

Products:
  • Oracle E-Business Suite - Oracle Marketing
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.9
Operating Systems: Any OS running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Marketing Administration component specifically. Requires Oracle Marketing to be installed and configured.

📦 What is this software?

Marketing by Oracle

View all CVEs affecting Marketing →

Marketing by Oracle

View all CVEs affecting Marketing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Marketing data including unauthorized access to all sensitive marketing information and ability to modify or delete critical business data.

🟠

Likely Case

Data exfiltration of marketing information and unauthorized modification of marketing campaigns, customer data, and business intelligence.

🟢

If Mitigated

Limited impact if network segmentation restricts access to Oracle Marketing servers and proper authentication controls are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates easily exploitable via HTTP without authentication. No public exploit code known at time of advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update July 2020 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2020.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle E-Business Suite instances. 3. Restart Oracle Marketing services. 4. Verify patch application via version check.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Oracle Marketing servers to authorized IP addresses only

iptables -A INPUT -p tcp --dport 8000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Web Application Firewall

all

Deploy WAF with rules to block suspicious HTTP requests to Oracle Marketing endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit Oracle Marketing server exposure
  • Monitor Oracle Marketing logs for unauthorized access attempts and unusual HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed components. If running affected versions with Oracle Marketing installed, system is vulnerable.

Check Version:

SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS;

Verify Fix Applied:

Verify Critical Patch Update July 2020 or later is applied. Check patch application logs and verify Oracle Marketing component version.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated HTTP requests to Oracle Marketing endpoints
  • Unusual data access patterns in marketing tables
  • Failed authentication attempts followed by successful data access

Network Indicators:

  • HTTP requests to Oracle Marketing paths from unauthorized sources
  • Unusual data volume transfers from Oracle Marketing servers

SIEM Query:

source="oracle-ebs-logs" AND (uri_path="/OA_HTML/*Marketing*" OR component="Marketing") AND user="ANONYMOUS"

📊 Metadata

CVE ID: CVE-2020-14658
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: July 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON