CVE-2015-4852

CVSS 9.8 CRITICALEPSS 96.0%● KEVCWE-502

In short

Oracle WebLogic Server has a critical vulnerability in its security component that allows attackers to execute arbitrary commands by sending specially crafted messages over the network. This happens because the server unsafely processes serialized Java objects without proper validation.

Technical detail

The WLS Security component improperly deserializes untrusted T3 protocol messages on TCP port 7001, leveraging the Apache Commons Collections library to achieve remote code execution. An unauthenticated attacker can send a crafted serialized object to instantiate arbitrary classes and execute commands with WebLogic server privileges.

Summary generated and translated by AI from the official description.

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 10

githubgithub.com/roo7break/serialator★ 31 githubgithub.com/zhzhdoai/Weblogic_Vuln★ 17 githubgithub.com/AndersonSingh/serialization-vulnerability-scanner★ 2 githubgithub.com/nex1less/CVE-2015-4852★ 1 exploitdbwww.exploit-db.com/exploits/46628unverified cve_referencepacketstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/44552unverified cve_referencewww.exploit-db.com/exploits/42806/unverified cve_referencewww.exploit-db.com/exploits/46628/unverified exploitdbwww.exploit-db.com/exploits/42806unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852 https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4852 https://www.exploit-db.com/exploits/42806/https://www.exploit-db.com/exploits/46628/http://www.openwall.com/lists/oss-security/2015/11/17/19 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html