CVE-2020-2950: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

CVE-2020-2950 is a critical vulnerability discovered in Oracle Business Intelligence Enterprise Edition's Analytics Web General component. The vulnerability was disclosed in April 2020 and affects versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0. This vulnerability allows unauthenticated attackers with network access via HTTP to compromise the Oracle Business Intelligence Enterprise Edition (Oracle CPU Apr 2020).

The vulnerability stems from the lack of proper validation of user-supplied data within the BIRemotingServlet component, which can result in deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.0 Base Score of 9.8 (Critical) with the following vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (ZDI Advisory).

Successful exploitation of this vulnerability can result in complete compromise of the Oracle Business Intelligence Enterprise Edition. An attacker can leverage this vulnerability to execute arbitrary code in the context of the service account, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability (ZDI Advisory).

Oracle has released security patches to address this vulnerability as part of the April 2020 Critical Patch Update. Organizations are strongly advised to apply these security updates to affected installations of Oracle Business Intelligence Enterprise Edition (Oracle CPU Apr 2020).