Oracle Coherence (Caching, CacheStore and Invocation Components) is prone to a remote vulnerability that allows attackers to take advantage of a Java deserialization vulnerability. By exploiting known methods, it is possible to remotely connect to the Coherence port via T3 protocol to invoke the extract method of the ReflectionExtractor class, which allows the execution of system commands. ExtractorComparator class is used to access ReflectionExtractor class, a bypass for the original patch for CVE-2020-2555.
CVE Link
Product Name