oracle enterprise-repository CVE-2020-11998 in Oracle and Apache Products
Published on September 10, 2020

product logo product logo
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13

NVD


Products Associated with CVE-2020-11998

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-11998 are published in these products:

Oracle Enterprise Repository
 
Apache ActiveMQ
 
Oracle Communications Diameter Signaling Router
 
Oracle Communications Element Manager
 
Oracle Communications Session Report Manager
 
Oracle Communications Session Route Manager
 
Oracle Flexcube Private Banking
 

Exploit Probability

EPSS
6.91%
Percentile
91.30%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.