CVE-2024-20905 in JD Edwards EnterpriseOne Toolsinfo

Summary

by MITRE • 02/17/2024

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure SEC). Supported versions that are affected are Prior to 9.2.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/28/2025

The vulnerability identified as CVE-2024-20905 affects Oracle JD Edwards EnterpriseOne Tools within the Enterprise Infrastructure SEC component, specifically impacting versions prior to 9.2.8.0. This represents a significant security concern for organizations utilizing the JD Edwards platform, as it exposes the system to potential compromise through network-based attacks. The vulnerability resides within the enterprise infrastructure security framework, which serves as a critical foundation for the overall security posture of the JD Edwards environment.

This vulnerability is classified as easily exploitable, indicating that attackers with high privileged access and network connectivity can readily leverage it to compromise the targeted system. The attack vector specifically utilizes JDENET network protocols, which are fundamental communication channels within the JD Edwards ecosystem. The CVSS score of 2.7 reflects a low to medium severity classification with availability impacts, where the primary concern is the potential for partial denial of service conditions that could disrupt business operations. The security requirements for exploitation are categorized as high privileged access, suggesting that attackers must already possess elevated credentials or system-level access before attempting to exploit this weakness.

The operational impact of successful exploitation manifests as unauthorized partial denial of service, which can significantly disrupt business processes within the JD Edwards environment. This partial DOS condition may affect specific functionalities or modules within the EnterpriseOne Tools, potentially causing operational delays or service interruptions that could cascade through downstream business processes. Organizations relying on JD Edwards for critical business operations may experience measurable disruption to their workflow, particularly in environments where real-time data processing and transactional integrity are essential for business continuity.

The vulnerability demonstrates characteristics consistent with CWE-284 (Improper Access Control) and aligns with ATT&CK techniques involving privilege escalation and denial of service operations. Organizations should prioritize patch management activities to upgrade to version 9.2.8.0 or later, which contains the necessary security fixes to address this weakness. Additionally, network segmentation and access control measures should be implemented to limit exposure of JDENET protocols to authorized personnel only. Security monitoring should be enhanced to detect unusual network activity patterns that may indicate exploitation attempts, while regular security assessments should verify the effectiveness of implemented controls against similar vulnerabilities in the broader JD Edwards ecosystem.

Reservation

12/07/2023

Disclosure

02/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00521

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!