Login Sign Up

CVE-2020-14875

9.1 CRITICAL

📋 TL;DR

This vulnerability in Oracle Marketing allows unauthenticated attackers to remotely manipulate or access sensitive data via HTTP. It affects Oracle E-Business Suite Marketing component versions 12.1.1-12.1.3 and 12.2.3-12.2.10, posing significant risk to organizations using these versions.

💻 Affected Systems

Products:
  • Oracle E-Business Suite Marketing component
Versions: 12.1.1-12.1.3 and 12.2.3-12.2.10
Operating Systems: Any OS running Oracle E-Business Suite
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Oracle Marketing Administration component specifically. All installations within affected version ranges are vulnerable unless patched.

📦 What is this software?

Marketing by Oracle

View all CVEs affecting Marketing →

Marketing by Oracle

View all CVEs affecting Marketing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Marketing data including unauthorized creation, deletion, modification of critical data, and full data access leading to data breach or system manipulation.

🟠

Likely Case

Unauthorized data access and manipulation of marketing data, potentially exposing customer information and business intelligence.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication controls, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH - Attackers can exploit remotely without authentication via HTTP, making internet-facing instances extremely vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the Oracle Marketing instance.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates easily exploitable by unauthenticated attackers via network access. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Oracle Critical Patch Update October 2020 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2020.html

Restart Required: Yes

Instructions:

1. Download October 2020 Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle E-Business Suite instances. 3. Restart Oracle Marketing services. 4. Test functionality post-patch.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Oracle Marketing instances using firewall rules

iptables -A INPUT -p tcp --dport <oracle_port> -s <trusted_ips> -j ACCEPT
iptables -A INPUT -p tcp --dport <oracle_port> -j DROP

Application Firewall Rules

all

Implement WAF rules to block suspicious HTTP requests to Marketing endpoints

🧯 If You Can't Patch

  • Isolate Oracle Marketing instances from untrusted networks using strict firewall rules
  • Implement additional authentication layers or IP whitelisting for Marketing component access

🔍 How to Verify

Check if Vulnerable:

Check Oracle E-Business Suite version and patch level. If running affected versions without October 2020 CPU, system is vulnerable.

Check Version:

SELECT RELEASE_NAME FROM FND_PRODUCT_GROUPS; (Oracle EBS database query)

Verify Fix Applied:

Verify October 2020 Critical Patch Update is applied and check Oracle Marketing component version post-patch.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Marketing Administration endpoints
  • Unauthorized data access or modification logs in Oracle audit trails

Network Indicators:

  • Unusual HTTP traffic patterns to Oracle Marketing ports from unauthorized sources

SIEM Query:

source="oracle_ebs_logs" AND (uri_path="/OA_HTML/*Marketing*" OR component="Marketing") AND (status_code=200 OR action="MODIFY") FROM external_ips

📊 Metadata

CVE ID: CVE-2020-14875
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: October 21, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON