Login Sign Up

CVE-2020-14855

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2020-14855 is a critical vulnerability in Oracle Universal Work Queue component of Oracle E-Business Suite that allows unauthenticated attackers to completely compromise the system via HTTP. This affects organizations running Oracle E-Business Suite 12.1.3 with the Universal Work Queue component enabled.

💻 Affected Systems

Products:
  • Oracle E-Business Suite
Versions: 12.1.3
Operating Systems: All platforms running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Oracle Universal Work Queue component to be installed and accessible via HTTP.

📦 What is this software?

Universal Work Queue by Oracle

View all CVEs affecting Universal Work Queue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of Oracle Universal Work Queue, leading to full compromise of confidentiality, integrity, and availability of the affected system and potentially adjacent systems.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if system is isolated behind strong network segmentation and access controls, though still vulnerable to internal threats.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing systems extremely vulnerable to exploitation.
🏢 Internal Only: HIGH - Even internal systems are vulnerable to any network-connected attacker within the organization.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS 9.8 indicates trivial exploitation by unauthenticated attackers via network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update October 2020 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2020.html

Restart Required: Yes

Instructions:

1. Download October 2020 Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle E-Business Suite 12.1.3 instances. 3. Restart affected services. 4. Test functionality before deploying to production.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Oracle Universal Work Queue component

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="PORT_NUMBER" accept'
iptables -A INPUT -p tcp --dport PORT_NUMBER -s TRUSTED_NETWORK -j ACCEPT

Access Control Lists

all

Implement IP-based access restrictions at application or network level

# Configure in Oracle HTTP Server or web server configuration
# Example: <Location /workqueue>
#   Order deny,allow
#   Deny from all
#   Allow from 10.0.0.0/8
# </Location>

🧯 If You Can't Patch

  • Isolate affected systems behind strict network segmentation and firewall rules
  • Implement web application firewall (WAF) with rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and installed components via Oracle applications manager or query database for version information.

Check Version:

sqlplus apps/apps_password @$AD_TOP/patch/115/sql/adzdshow.sql

Verify Fix Applied:

Verify patch application through Oracle OPatch utility: opatch lsinventory | grep -i "CVE-2020-14855" or check patch registry.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to /workqueue/* endpoints
  • Authentication bypass attempts
  • Unexpected process execution from Oracle application user

Network Indicators:

  • Unusual outbound connections from Oracle server
  • HTTP requests with suspicious payloads to work queue endpoints

SIEM Query:

source="oracle_http.log" AND (uri="/workqueue/*" OR user_agent="*sql*" OR status_code=500)

📊 Metadata

CVE ID: CVE-2020-14855
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: October 21, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON